Mercurial > dropbear

comparison options.h @ 297:79bf1023cf11 agent-client

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.dropbear' (head 0501e6f661b5415eb76f3b312d183c3adfbfb712) to branch 'au.asn.ucc.matt.dropbear.cli-agent' (head 01038174ec27245b51bd43a66c01ad930880f67b)
author Matt Johnston <matt@ucc.asn.au>
date Tue, 21 Mar 2006 16:20:59 +0000
parents ca7e76d981d9 55a99934db87
children c1e9c81d1d27
comparison
equal deleted inserted replaced
225:ca7e76d981d9 297:79bf1023cf11
61 /* Enable Authentication Agent Forwarding - server only for now */ 61 /* Enable Authentication Agent Forwarding - server only for now */
62 #define ENABLE_SVR_AGENTFWD 62 #define ENABLE_SVR_AGENTFWD
63 #define ENABLE_CLI_AGENTFWD 63 #define ENABLE_CLI_AGENTFWD
64 64
65 /* Encryption - at least one required. 65 /* Encryption - at least one required.
66 * RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */ 66 * RFC Draft requires 3DES and recommends AES128 for interoperability.
67 * Including multiple keysize variants the same cipher
68 * (eg AES256 as well as AES128) will result in a minimal size increase.*/
67 #define DROPBEAR_AES128_CBC 69 #define DROPBEAR_AES128_CBC
70 #define DROPBEAR_3DES_CBC
71 #define DROPBEAR_AES256_CBC
68 #define DROPBEAR_BLOWFISH_CBC 72 #define DROPBEAR_BLOWFISH_CBC
73 #define DROPBEAR_TWOFISH256_CBC
69 #define DROPBEAR_TWOFISH128_CBC 74 #define DROPBEAR_TWOFISH128_CBC
70 #define DROPBEAR_3DES_CBC 75
71 76 /* Message Integrity - at least one required.
72 /* Integrity - at least one required. 77 * RFC Draft requires sha1 and recommends sha1-96.
73 * RFC Draft requires sha1-hmac, and recommends md5-hmac. 78 * sha1-96 may be of use for slow links, as it has a smaller overhead.
74 * 79 *
75 * Note: there's no point disabling sha1 to save space, since it's used in the 80 * Note: there's no point disabling sha1 to save space, since it's used
76 * for the random number generator and public-key cryptography anyway. 81 * for the random number generator and public-key cryptography anyway.
77 * Disabling it here will just stop it from being used as the integrity portion 82 * Disabling it here will just stop it from being used as the integrity portion
78 * of the ssh protocol. 83 * of the ssh protocol.
79 * 84 *
80 * These are also used for key fingerprints in logs (when pubkey auth is used), 85 * These hashes are also used for public key fingerprints in logs.
81 * MD5 fingerprints are printed if available, however SHA1 fingerprints will be 86 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
82 * generated otherwise. This isn't exactly optimal, although SHA1 fingerprints 87 * which are not the standard form. */
83 * are not too hard to create from pubkeys if required. */
84 #define DROPBEAR_SHA1_HMAC 88 #define DROPBEAR_SHA1_HMAC
89 #define DROPBEAR_SHA1_96_HMAC
85 #define DROPBEAR_MD5_HMAC 90 #define DROPBEAR_MD5_HMAC
86 91
87 /* Hostkey/public key algorithms - at least one required, these are used 92 /* Hostkey/public key algorithms - at least one required, these are used
88 * for hostkey as well as for verifying signatures with pubkey auth. 93 * for hostkey as well as for verifying signatures with pubkey auth.
89 * Removing either of these won't save very much space. 94 * Removing either of these won't save very much space.
122 * It's useful for systems like OS X where standard password crypts don't work, 127 * It's useful for systems like OS X where standard password crypts don't work,
123 * but there's an interface via a PAM module - don't bother using it otherwise. 128 * but there's an interface via a PAM module - don't bother using it otherwise.
124 * You can't enable both PASSWORD and PAM. */ 129 * You can't enable both PASSWORD and PAM. */
125 130
126 #define ENABLE_SVR_PASSWORD_AUTH 131 #define ENABLE_SVR_PASSWORD_AUTH
127 /*#define ENABLE_SVR_PAM_AUTH*/ 132 /* #define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
128 #define ENABLE_SVR_PUBKEY_AUTH 133 #define ENABLE_SVR_PUBKEY_AUTH
129 134
130 #define ENABLE_CLI_PASSWORD_AUTH 135 #define ENABLE_CLI_PASSWORD_AUTH
131 #define ENABLE_CLI_PUBKEY_AUTH 136 #define ENABLE_CLI_PUBKEY_AUTH
137 #define ENABLE_CLI_INTERACT_AUTH
132 138
133 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of 139 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
134 * a helper program for the ssh client. The helper program should be 140 * a helper program for the ssh client. The helper program should be
135 * specified in the SSH_ASKPASS environment variable, and dbclient 141 * specified in the SSH_ASKPASS environment variable, and dbclient
136 * should be run with DISPLAY set and no tty. The program should 142 * should be run with DISPLAY set and no tty. The program should
154 /* prngd must be manually set up to produce output */ 160 /* prngd must be manually set up to produce output */
155 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ 161 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
156 162
157 /* Specify the number of clients we will allow to be connected but 163 /* Specify the number of clients we will allow to be connected but
158 * not yet authenticated. After this limit, connections are rejected */ 164 * not yet authenticated. After this limit, connections are rejected */
165 /* The first setting is per-IP, to avoid denial of service */
166 #ifndef MAX_UNAUTH_PER_IP
167 #define MAX_UNAUTH_PER_IP 5
168 #endif
169
170 /* And then a global limit to avoid chewing memory if connections
171 * come from many IPs */
159 #ifndef MAX_UNAUTH_CLIENTS 172 #ifndef MAX_UNAUTH_CLIENTS
160 #define MAX_UNAUTH_CLIENTS 30 173 #define MAX_UNAUTH_CLIENTS 30
161 #endif 174 #endif
162 175
163 /* Maximum number of failed authentication tries (server option) */ 176 /* Maximum number of failed authentication tries (server option) */
193 /******************************************************************* 206 /*******************************************************************
194 * You shouldn't edit below here unless you know you need to. 207 * You shouldn't edit below here unless you know you need to.
195 *******************************************************************/ 208 *******************************************************************/
196 209
197 #ifndef DROPBEAR_VERSION 210 #ifndef DROPBEAR_VERSION
198 #define DROPBEAR_VERSION "0.46" 211 #define DROPBEAR_VERSION "0.48"
199 #endif 212 #endif
200 213
201 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION 214 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
202 #define PROGNAME "dropbear" 215 #define PROGNAME "dropbear"
203 216
237 250
238 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified, 251 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
239 ipv4 and ipv6 don't count twice */ 252 ipv4 and ipv6 don't count twice */
240 253
241 #define _PATH_TTY "/dev/tty" 254 #define _PATH_TTY "/dev/tty"
255
256 #define _PATH_CP "/bin/cp"
242 257
243 /* Timeouts in seconds */ 258 /* Timeouts in seconds */
244 #define SELECT_TIMEOUT 20 259 #define SELECT_TIMEOUT 20
245 260
246 /* success/failure defines */ 261 /* success/failure defines */
272 287
273 /* largest of MD5 and SHA1 */ 288 /* largest of MD5 and SHA1 */
274 #define MAX_MAC_LEN SHA1_HASH_SIZE 289 #define MAX_MAC_LEN SHA1_HASH_SIZE
275 290
276 291
277 #define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */ 292 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
278 #define MAX_IV_LEN 20 /* must be same as max blocksize, 293 #define MAX_IV_LEN 20 /* must be same as max blocksize,
279 and >= SHA1_HASH_SIZE */ 294 and >= SHA1_HASH_SIZE */
280 #define MAX_MAC_KEY 20 295 #define MAX_MAC_KEY 20
281 296
282 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't 297 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
299 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */ 314 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */
300 315
301 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also 316 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
302 is the max length for a password etc */ 317 is the max length for a password etc */
303 318
304 /* For a 4096 bit DSS key, empirically determined to be 1590 bytes */ 319 /* For a 4096 bit DSS key, empirically determined */
305 #define MAX_PUBKEY_SIZE 1600 320 #define MAX_PUBKEY_SIZE 1700
306 /* For a 4096 bit DSS key, empirically determined to be 1590 bytes */ 321 /* For a 4096 bit DSS key, empirically determined */
307 #define MAX_PRIVKEY_SIZE 1600 322 #define MAX_PRIVKEY_SIZE 1700
323
324 /* The maximum size of the bignum portion of the kexhash buffer */
325 /* Sect. 8 of the transport draft, K_S + e + f + K */
326 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
308 327
309 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit 328 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
310 in a few years time.... */ 329 in a few years time.... */
311 330
312 #define DROPBEAR_MAX_CLI_PASS 1024 331 #define DROPBEAR_MAX_CLI_PASS 1024
332
333 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
334 accept for keyb-interactive
335 auth */
336
337 #if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC)
338 #define DROPBEAR_AES_CBC
339 #endif
340
341 #if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC)
342 #define DROPBEAR_TWOFISH_CBC
343 #endif
313 344
314 #ifndef ENABLE_X11FWD 345 #ifndef ENABLE_X11FWD
315 #define DISABLE_X11FWD 346 #define DISABLE_X11FWD
316 #endif 347 #endif
317 348