Mercurial > dropbear

comparison options.h @ 1295:750ec4ec4cbe

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Convert #ifdef to #if, other build changes
author Matt Johnston <matt@ucc.asn.au>
date Wed, 04 May 2016 15:33:40 +0200
parents 56aba7dedbea
children 4f8eb331174f
comparison
equal deleted inserted replaced
1294:56aba7dedbea 1295:750ec4ec4cbe
1 /* Dropbear SSH 1 #ifndef DROPBEAR_OPTIONS_H
2 * Copyright (c) 2002,2003 Matt Johnston 2 #define DROPBEAR_OPTIONS_H
3 * All rights reserved. See LICENSE for the license. */
4 3
5 #ifndef DROPBEAR_OPTIONS_H_ 4 /*
6 #define DROPBEAR_OPTIONS_H_ 5 Local compile-time configuration should be defined in localoptions.h
6 See default_options.h.in for a description of the available options.
7 */
7 8
8 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" 9 #ifdef LOCALOPTIONS_H_EXISTS
9 * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ 10 #include "localoptions.h"
10
11 /* IMPORTANT: Many options will require "make clean" after changes */
12
13 #ifndef DROPBEAR_DEFPORT
14 #define DROPBEAR_DEFPORT "22"
15 #endif 11 #endif
16 12
17 #ifndef DROPBEAR_DEFADDRESS 13 #include "default_options.h"
18 /* Listen on all interfaces */
19 #define DROPBEAR_DEFADDRESS ""
20 #endif
21 14
22 /* Default hostkey paths - these can be specified on the command line */ 15 /* Some other defines that mostly should be left alone are defined
23 #ifndef DSS_PRIV_FILENAME
24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
25 #endif
26 #ifndef RSA_PRIV_FILENAME
27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
28 #endif
29 #ifndef ECDSA_PRIV_FILENAME
30 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
31 #endif
32
33 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
34 * on chosen ports and keeps accepting connections. This is the default.
35 *
36 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
37 * similar), where it will use stdin/stdout for connections, and each process
38 * lasts for a single connection. Dropbear should be invoked with the -i flag
39 * for inetd, and can only accept IPv4 connections.
40 *
41 * Both of these flags can be defined at once, don't compile without at least
42 * one of them. */
43 #define NON_INETD_MODE
44 #define INETD_MODE
45
46 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
47 * perhaps 20% slower for pubkey operations (it is probably worth experimenting
48 * if you want to use this) */
49 /*#define NO_FAST_EXPTMOD*/
50
51 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
52 several kB in binary size however will make the symmetrical ciphers and hashes
53 slower, perhaps by 50%. Recommended for small systems that aren't doing
54 much traffic. */
55 #define DROPBEAR_SMALL_CODE
56
57 /* Enable X11 Forwarding - server only */
58 #define ENABLE_X11FWD
59
60 /* Enable TCP Fowarding */
61 /* 'Local' is "-L" style (client listening port forwarded via server)
62 * 'Remote' is "-R" style (server listening port forwarded via client) */
63
64 #define ENABLE_CLI_LOCALTCPFWD
65 #define ENABLE_CLI_REMOTETCPFWD
66
67 #define ENABLE_SVR_LOCALTCPFWD
68 #define ENABLE_SVR_REMOTETCPFWD
69
70 /* Enable Authentication Agent Forwarding */
71 #define ENABLE_SVR_AGENTFWD
72 #define ENABLE_CLI_AGENTFWD
73
74
75 /* Note: Both ENABLE_CLI_PROXYCMD and ENABLE_CLI_NETCAT must be set to
76 * allow multihop dbclient connections */
77
78 /* Allow using -J <proxycommand> to run the connection through a
79 pipe to a program, rather the normal TCP connection */
80 #define ENABLE_CLI_PROXYCMD
81
82 /* Enable "Netcat mode" option. This will forward standard input/output
83 * to a remote TCP-forwarded connection */
84 #define ENABLE_CLI_NETCAT
85
86 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
87 #define ENABLE_USER_ALGO_LIST
88
89 /* Encryption - at least one required.
90 * Protocol RFC requires 3DES and recommends AES128 for interoperability.
91 * Including multiple keysize variants the same cipher
92 * (eg AES256 as well as AES128) will result in a minimal size increase.*/
93 #define DROPBEAR_AES128
94 #define DROPBEAR_3DES
95 #define DROPBEAR_AES256
96 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
97 /*#define DROPBEAR_BLOWFISH*/
98 #define DROPBEAR_TWOFISH256
99 #define DROPBEAR_TWOFISH128
100
101 /* Enable CBC mode for ciphers. This has security issues though
102 * is the most compatible with older SSH implementations */
103 #define DROPBEAR_ENABLE_CBC_MODE
104
105 /* Enable "Counter Mode" for ciphers. This is more secure than normal
106 * CBC mode against certain attacks. It is recommended for security
107 * and forwards compatibility */
108 #define DROPBEAR_ENABLE_CTR_MODE
109
110 /* Twofish counter mode is disabled by default because it
111 has not been tested for interoperability with other SSH implementations.
112 If you test it please contact the Dropbear author */
113 /* #define DROPBEAR_TWOFISH_CTR */
114
115 /* You can compile with no encryption if you want. In some circumstances
116 * this could be safe security-wise, though make sure you know what
117 * you're doing. Anyone can see everything that goes over the wire, so
118 * the only safe auth method is public key. */
119 /* #define DROPBEAR_NONE_CIPHER */
120
121 /* Message Integrity - at least one required.
122 * Protocol RFC requires sha1 and recommends sha1-96.
123 * sha1-96 is of use for slow links as it has a smaller overhead.
124 *
125 * There's no reason to disable sha1 or sha1-96 to save space since it's
126 * used for the random number generator and public-key cryptography anyway.
127 * Disabling it here will just stop it from being used as the integrity portion
128 * of the ssh protocol.
129 *
130 * These hashes are also used for public key fingerprints in logs.
131 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
132 * which are not the standard form. */
133 #define DROPBEAR_SHA1_HMAC
134 #define DROPBEAR_SHA1_96_HMAC
135 #define DROPBEAR_SHA2_256_HMAC
136 #define DROPBEAR_SHA2_512_HMAC
137 #define DROPBEAR_MD5_HMAC
138
139 /* You can also disable integrity. Don't bother disabling this if you're
140 * still using a cipher, it's relatively cheap. If you disable this it's dead
141 * simple for an attacker to run arbitrary commands on the remote host. Beware. */
142 /* #define DROPBEAR_NONE_INTEGRITY */
143
144 /* Hostkey/public key algorithms - at least one required, these are used
145 * for hostkey as well as for verifying signatures with pubkey auth.
146 * Removing either of these won't save very much space.
147 * SSH2 RFC Draft requires dss, recommends rsa */
148 #define DROPBEAR_RSA
149 #define DROPBEAR_DSS
150 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
151 * code (either ECDSA or ECDH) increases binary size - around 30kB
152 * on x86-64 */
153 //#define DROPBEAR_ECDSA
154
155 /* Generate hostkeys as-needed when the first connection using that key type occurs.
156 This avoids the need to otherwise run "dropbearkey" and avoids some problems
157 with badly seeded /dev/urandom when systems first boot.
158 This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly
159 anything if dropbearkey is linked in a "dropbearmulti" binary) */
160 #define DROPBEAR_DELAY_HOSTKEY
161
162 /* Enable Curve25519 for key exchange. This is another elliptic
163 * curve method with good security properties. Increases binary size
164 * by ~8kB on x86-64 */
165 #define DROPBEAR_CURVE25519
166
167 /* Enable elliptic curve Diffie Hellman key exchange, see note about
168 * ECDSA above */
169 #define DROPBEAR_ECDH
170
171 /* Key exchange algorithm.
172 * group14_sha1 - 2048 bit, sha1
173 * group14_sha256 - 2048 bit, sha2-256
174 * group16 - 4096 bit, sha2-512
175 * group1 - 1024 bit, sha1
176 *
177 * group14 is supported by most implementations.
178 * group16 provides a greater strength level but is slower and increases binary size
179 * group1 is too small for security though is necessary if you need
180 compatibility with some implementations such as Dropbear versions < 0.53
181 */
182 #define DROPBEAR_DH_GROUP1 1
183 #define DROPBEAR_DH_GROUP14_SHA1 1
184 #define DROPBEAR_DH_GROUP14_SHA256 1
185 #define DROPBEAR_DH_GROUP16 0
186
187 /* Control the memory/performance/compression tradeoff for zlib.
188 * Set windowBits=8 for least memory usage, see your system's
189 * zlib.h for full details.
190 * Default settings (windowBits=15) will use 256kB for compression
191 * windowBits=8 will use 129kB for compression.
192 * Both modes will use ~35kB for decompression (using windowBits=15 for
193 * interoperability) */
194 #ifndef DROPBEAR_ZLIB_WINDOW_BITS
195 #define DROPBEAR_ZLIB_WINDOW_BITS 15
196 #endif
197
198 /* Server won't allow zlib compression until after authentication. Prevents
199 flaws in the zlib library being unauthenticated exploitable flaws.
200 Some old ssh clients may not support the alternative [email protected] method */
201 #define DROPBEAR_SERVER_DELAY_ZLIB 1
202
203 /* Whether to do reverse DNS lookups. */
204 /*#define DO_HOST_LOOKUP */
205
206 /* Whether to print the message of the day (MOTD). This doesn't add much code
207 * size */
208 #define DO_MOTD
209
210 /* The MOTD file path */
211 #ifndef MOTD_FILENAME
212 #define MOTD_FILENAME "/etc/motd"
213 #endif
214
215 /* Authentication Types - at least one required.
216 RFC Draft requires pubkey auth, and recommends password */
217
218 /* Note: PAM auth is quite simple and only works for PAM modules which just do
219 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
220 * It's useful for systems like OS X where standard password crypts don't work
221 * but there's an interface via a PAM module. It won't work for more complex
222 * PAM challenge/response.
223 * You can't enable both PASSWORD and PAM. */
224
225 /* This requires crypt() */
226 #ifdef HAVE_CRYPT
227 #define ENABLE_SVR_PASSWORD_AUTH
228 #endif
229 /* PAM requires ./configure --enable-pam */
230 /*#define ENABLE_SVR_PAM_AUTH */
231 #define ENABLE_SVR_PUBKEY_AUTH
232
233 /* Whether to take public key options in
234 * authorized_keys file into account */
235 #ifdef ENABLE_SVR_PUBKEY_AUTH
236 #define ENABLE_SVR_PUBKEY_OPTIONS
237 #endif
238
239 /* This requires getpass. */
240 #ifdef HAVE_GETPASS
241 #define ENABLE_CLI_PASSWORD_AUTH
242 #define ENABLE_CLI_INTERACT_AUTH
243 #endif
244 #define ENABLE_CLI_PUBKEY_AUTH
245
246 /* A default argument for dbclient -i <privatekey>.
247 Homedir is prepended unless path begins with / */
248 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
249
250 /* This variable can be used to set a password for client
251 * authentication on the commandline. Beware of platforms
252 * that don't protect environment variables of processes etc. Also
253 * note that it will be provided for all "hidden" client-interactive
254 * style prompts - if you want something more sophisticated, use
255 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
256 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
257
258 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
259 * a helper program for the ssh client. The helper program should be
260 * specified in the SSH_ASKPASS environment variable, and dbclient
261 * should be run with DISPLAY set and no tty. The program should
262 * return the password on standard output */
263 /*#define ENABLE_CLI_ASKPASS_HELPER*/
264
265 /* Save a network roundtrip by sendng a real auth request immediately after
266 * sending a query for the available methods. It is at the expense of < 100
267 * bytes of extra network traffic. This is not yet enabled by default since it
268 * could cause problems with non-compliant servers */
269 /* #define DROPBEAR_CLI_IMMEDIATE_AUTH */
270
271 /* Source for randomness. This must be able to provide hundreds of bytes per SSH
272 * connection without blocking. In addition /dev/random is used for seeding
273 * rsa/dss key generation */
274 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
275
276 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
277 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
278
279
280 /* Specify the number of clients we will allow to be connected but
281 * not yet authenticated. After this limit, connections are rejected */
282 /* The first setting is per-IP, to avoid denial of service */
283 #ifndef MAX_UNAUTH_PER_IP
284 #define MAX_UNAUTH_PER_IP 5
285 #endif
286
287 /* And then a global limit to avoid chewing memory if connections
288 * come from many IPs */
289 #ifndef MAX_UNAUTH_CLIENTS
290 #define MAX_UNAUTH_CLIENTS 30
291 #endif
292
293 /* Maximum number of failed authentication tries (server option) */
294 #ifndef MAX_AUTH_TRIES
295 #define MAX_AUTH_TRIES 10
296 #endif
297
298 /* The default file to store the daemon's process ID, for shutdown
299 scripts etc. This can be overridden with the -P flag */
300 #ifndef DROPBEAR_PIDFILE
301 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
302 #endif
303
304 /* The command to invoke for xauth when using X11 forwarding.
305 * "-q" for quiet */
306 #ifndef XAUTH_COMMAND
307 #define XAUTH_COMMAND "/usr/bin/xauth -q"
308 #endif
309
310 /* if you want to enable running an sftp server (such as the one included with
311 * OpenSSH), set the path below. If the path isn't defined, sftp will not
312 * be enabled */
313 #ifndef SFTPSERVER_PATH
314 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
315 #endif
316
317 /* This is used by the scp binary when used as a client binary. If you're
318 * not using the Dropbear client, you'll need to change it */
319 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
320
321 /* Whether to log commands executed by a client. This only logs the
322 * (single) command sent to the server, not what a user did in a
323 * shell/sftp session etc. */
324 /* #define LOG_COMMANDS */
325
326 /* Window size limits. These tend to be a trade-off between memory
327 usage and network performance: */
328 /* Size of the network receive window. This amount of memory is allocated
329 as a per-channel receive buffer. Increasing this value can make a
330 significant difference to network performance. 24kB was empirically
331 chosen for a 100mbit ethernet network. The value can be altered at
332 runtime with the -W argument. */
333 #ifndef DEFAULT_RECV_WINDOW
334 #define DEFAULT_RECV_WINDOW 24576
335 #endif
336 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
337 in order to interoperate with other implementations */
338 #ifndef RECV_MAX_PAYLOAD_LEN
339 #define RECV_MAX_PAYLOAD_LEN 32768
340 #endif
341 /* Maximum size of a transmitted data packet - this can be any value,
342 though increasing it may not make a significant difference. */
343 #ifndef TRANS_MAX_PAYLOAD_LEN
344 #define TRANS_MAX_PAYLOAD_LEN 16384
345 #endif
346
347 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
348 be overridden at runtime with -K. 0 disables keepalives */
349 #define DEFAULT_KEEPALIVE 0
350
351 /* If this many KEEPALIVES are sent with no packets received from the
352 other side, exit. Not run-time configurable - if you have a need
353 for runtime configuration please mail the Dropbear list */
354 #define DEFAULT_KEEPALIVE_LIMIT 3
355
356 /* Ensure that data is received within IDLE_TIMEOUT seconds. This can
357 be overridden at runtime with -I. 0 disables idle timeouts */
358 #define DEFAULT_IDLE_TIMEOUT 0
359
360 /* The default path. This will often get replaced by the shell */
361 #define DEFAULT_PATH "/usr/bin:/bin"
362
363 /* Some other defines (that mostly should be left alone) are defined
364 * in sysoptions.h */ 16 * in sysoptions.h */
365 #include "sysoptions.h" 17 #include "sysoptions.h"
366 18
367 #endif /* DROPBEAR_OPTIONS_H_ */ 19 #endif /* DROPBEAR_OPTIONS_H */