Mercurial > dropbear
comparison options.h @ 297:79bf1023cf11 agent-client
propagate from branch 'au.asn.ucc.matt.dropbear' (head 0501e6f661b5415eb76f3b312d183c3adfbfb712)
to branch 'au.asn.ucc.matt.dropbear.cli-agent' (head 01038174ec27245b51bd43a66c01ad930880f67b)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 21 Mar 2006 16:20:59 +0000 |
parents | ca7e76d981d9 55a99934db87 |
children | c1e9c81d1d27 |
comparison
equal
deleted
inserted
replaced
225:ca7e76d981d9 | 297:79bf1023cf11 |
---|---|
61 /* Enable Authentication Agent Forwarding - server only for now */ | 61 /* Enable Authentication Agent Forwarding - server only for now */ |
62 #define ENABLE_SVR_AGENTFWD | 62 #define ENABLE_SVR_AGENTFWD |
63 #define ENABLE_CLI_AGENTFWD | 63 #define ENABLE_CLI_AGENTFWD |
64 | 64 |
65 /* Encryption - at least one required. | 65 /* Encryption - at least one required. |
66 * RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */ | 66 * RFC Draft requires 3DES and recommends AES128 for interoperability. |
67 * Including multiple keysize variants the same cipher | |
68 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ | |
67 #define DROPBEAR_AES128_CBC | 69 #define DROPBEAR_AES128_CBC |
70 #define DROPBEAR_3DES_CBC | |
71 #define DROPBEAR_AES256_CBC | |
68 #define DROPBEAR_BLOWFISH_CBC | 72 #define DROPBEAR_BLOWFISH_CBC |
73 #define DROPBEAR_TWOFISH256_CBC | |
69 #define DROPBEAR_TWOFISH128_CBC | 74 #define DROPBEAR_TWOFISH128_CBC |
70 #define DROPBEAR_3DES_CBC | 75 |
71 | 76 /* Message Integrity - at least one required. |
72 /* Integrity - at least one required. | 77 * RFC Draft requires sha1 and recommends sha1-96. |
73 * RFC Draft requires sha1-hmac, and recommends md5-hmac. | 78 * sha1-96 may be of use for slow links, as it has a smaller overhead. |
74 * | 79 * |
75 * Note: there's no point disabling sha1 to save space, since it's used in the | 80 * Note: there's no point disabling sha1 to save space, since it's used |
76 * for the random number generator and public-key cryptography anyway. | 81 * for the random number generator and public-key cryptography anyway. |
77 * Disabling it here will just stop it from being used as the integrity portion | 82 * Disabling it here will just stop it from being used as the integrity portion |
78 * of the ssh protocol. | 83 * of the ssh protocol. |
79 * | 84 * |
80 * These are also used for key fingerprints in logs (when pubkey auth is used), | 85 * These hashes are also used for public key fingerprints in logs. |
81 * MD5 fingerprints are printed if available, however SHA1 fingerprints will be | 86 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, |
82 * generated otherwise. This isn't exactly optimal, although SHA1 fingerprints | 87 * which are not the standard form. */ |
83 * are not too hard to create from pubkeys if required. */ | |
84 #define DROPBEAR_SHA1_HMAC | 88 #define DROPBEAR_SHA1_HMAC |
89 #define DROPBEAR_SHA1_96_HMAC | |
85 #define DROPBEAR_MD5_HMAC | 90 #define DROPBEAR_MD5_HMAC |
86 | 91 |
87 /* Hostkey/public key algorithms - at least one required, these are used | 92 /* Hostkey/public key algorithms - at least one required, these are used |
88 * for hostkey as well as for verifying signatures with pubkey auth. | 93 * for hostkey as well as for verifying signatures with pubkey auth. |
89 * Removing either of these won't save very much space. | 94 * Removing either of these won't save very much space. |
122 * It's useful for systems like OS X where standard password crypts don't work, | 127 * It's useful for systems like OS X where standard password crypts don't work, |
123 * but there's an interface via a PAM module - don't bother using it otherwise. | 128 * but there's an interface via a PAM module - don't bother using it otherwise. |
124 * You can't enable both PASSWORD and PAM. */ | 129 * You can't enable both PASSWORD and PAM. */ |
125 | 130 |
126 #define ENABLE_SVR_PASSWORD_AUTH | 131 #define ENABLE_SVR_PASSWORD_AUTH |
127 /*#define ENABLE_SVR_PAM_AUTH*/ | 132 /* #define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */ |
128 #define ENABLE_SVR_PUBKEY_AUTH | 133 #define ENABLE_SVR_PUBKEY_AUTH |
129 | 134 |
130 #define ENABLE_CLI_PASSWORD_AUTH | 135 #define ENABLE_CLI_PASSWORD_AUTH |
131 #define ENABLE_CLI_PUBKEY_AUTH | 136 #define ENABLE_CLI_PUBKEY_AUTH |
137 #define ENABLE_CLI_INTERACT_AUTH | |
132 | 138 |
133 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of | 139 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of |
134 * a helper program for the ssh client. The helper program should be | 140 * a helper program for the ssh client. The helper program should be |
135 * specified in the SSH_ASKPASS environment variable, and dbclient | 141 * specified in the SSH_ASKPASS environment variable, and dbclient |
136 * should be run with DISPLAY set and no tty. The program should | 142 * should be run with DISPLAY set and no tty. The program should |
154 /* prngd must be manually set up to produce output */ | 160 /* prngd must be manually set up to produce output */ |
155 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ | 161 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ |
156 | 162 |
157 /* Specify the number of clients we will allow to be connected but | 163 /* Specify the number of clients we will allow to be connected but |
158 * not yet authenticated. After this limit, connections are rejected */ | 164 * not yet authenticated. After this limit, connections are rejected */ |
165 /* The first setting is per-IP, to avoid denial of service */ | |
166 #ifndef MAX_UNAUTH_PER_IP | |
167 #define MAX_UNAUTH_PER_IP 5 | |
168 #endif | |
169 | |
170 /* And then a global limit to avoid chewing memory if connections | |
171 * come from many IPs */ | |
159 #ifndef MAX_UNAUTH_CLIENTS | 172 #ifndef MAX_UNAUTH_CLIENTS |
160 #define MAX_UNAUTH_CLIENTS 30 | 173 #define MAX_UNAUTH_CLIENTS 30 |
161 #endif | 174 #endif |
162 | 175 |
163 /* Maximum number of failed authentication tries (server option) */ | 176 /* Maximum number of failed authentication tries (server option) */ |
193 /******************************************************************* | 206 /******************************************************************* |
194 * You shouldn't edit below here unless you know you need to. | 207 * You shouldn't edit below here unless you know you need to. |
195 *******************************************************************/ | 208 *******************************************************************/ |
196 | 209 |
197 #ifndef DROPBEAR_VERSION | 210 #ifndef DROPBEAR_VERSION |
198 #define DROPBEAR_VERSION "0.46" | 211 #define DROPBEAR_VERSION "0.48" |
199 #endif | 212 #endif |
200 | 213 |
201 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION | 214 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION |
202 #define PROGNAME "dropbear" | 215 #define PROGNAME "dropbear" |
203 | 216 |
237 | 250 |
238 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified, | 251 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified, |
239 ipv4 and ipv6 don't count twice */ | 252 ipv4 and ipv6 don't count twice */ |
240 | 253 |
241 #define _PATH_TTY "/dev/tty" | 254 #define _PATH_TTY "/dev/tty" |
255 | |
256 #define _PATH_CP "/bin/cp" | |
242 | 257 |
243 /* Timeouts in seconds */ | 258 /* Timeouts in seconds */ |
244 #define SELECT_TIMEOUT 20 | 259 #define SELECT_TIMEOUT 20 |
245 | 260 |
246 /* success/failure defines */ | 261 /* success/failure defines */ |
272 | 287 |
273 /* largest of MD5 and SHA1 */ | 288 /* largest of MD5 and SHA1 */ |
274 #define MAX_MAC_LEN SHA1_HASH_SIZE | 289 #define MAX_MAC_LEN SHA1_HASH_SIZE |
275 | 290 |
276 | 291 |
277 #define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */ | 292 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ |
278 #define MAX_IV_LEN 20 /* must be same as max blocksize, | 293 #define MAX_IV_LEN 20 /* must be same as max blocksize, |
279 and >= SHA1_HASH_SIZE */ | 294 and >= SHA1_HASH_SIZE */ |
280 #define MAX_MAC_KEY 20 | 295 #define MAX_MAC_KEY 20 |
281 | 296 |
282 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't | 297 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't |
299 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */ | 314 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */ |
300 | 315 |
301 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also | 316 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also |
302 is the max length for a password etc */ | 317 is the max length for a password etc */ |
303 | 318 |
304 /* For a 4096 bit DSS key, empirically determined to be 1590 bytes */ | 319 /* For a 4096 bit DSS key, empirically determined */ |
305 #define MAX_PUBKEY_SIZE 1600 | 320 #define MAX_PUBKEY_SIZE 1700 |
306 /* For a 4096 bit DSS key, empirically determined to be 1590 bytes */ | 321 /* For a 4096 bit DSS key, empirically determined */ |
307 #define MAX_PRIVKEY_SIZE 1600 | 322 #define MAX_PRIVKEY_SIZE 1700 |
323 | |
324 /* The maximum size of the bignum portion of the kexhash buffer */ | |
325 /* Sect. 8 of the transport draft, K_S + e + f + K */ | |
326 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) | |
308 | 327 |
309 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit | 328 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit |
310 in a few years time.... */ | 329 in a few years time.... */ |
311 | 330 |
312 #define DROPBEAR_MAX_CLI_PASS 1024 | 331 #define DROPBEAR_MAX_CLI_PASS 1024 |
332 | |
333 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll | |
334 accept for keyb-interactive | |
335 auth */ | |
336 | |
337 #if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC) | |
338 #define DROPBEAR_AES_CBC | |
339 #endif | |
340 | |
341 #if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC) | |
342 #define DROPBEAR_TWOFISH_CBC | |
343 #endif | |
313 | 344 |
314 #ifndef ENABLE_X11FWD | 345 #ifndef ENABLE_X11FWD |
315 #define DISABLE_X11FWD | 346 #define DISABLE_X11FWD |
316 #endif | 347 #endif |
317 | 348 |