Mercurial > dropbear
comparison default_options.h.in @ 1517:7c7c5326ad73
clean up some default options
- move hmac-sha2-512, hmac-md5, twofish_ctr to sysoptions.h, off by default
- try and improve text for KEX methods
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sun, 18 Feb 2018 22:27:51 +0800 |
| parents | 6c16a05023aa |
| children |
comparison
equal
deleted
inserted
replaced
| 1516:33b872649eb7 | 1517:7c7c5326ad73 |
|---|---|
| 7 | 7 |
| 8 Local customisation should be added to localoptions.h which is | 8 Local customisation should be added to localoptions.h which is |
| 9 used if it exists. Options defined there will override any options in this | 9 used if it exists. Options defined there will override any options in this |
| 10 file. | 10 file. |
| 11 | 11 |
| 12 Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS | 12 Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS |
| 13 | 13 |
| 14 IMPORTANT: Many options will require "make clean" after changes */ | 14 IMPORTANT: Some options will require "make clean" after changes */ |
| 15 | 15 |
| 16 #define DROPBEAR_DEFPORT "22" | 16 #define DROPBEAR_DEFPORT "22" |
| 17 | 17 |
| 18 /* Listen on all interfaces */ | 18 /* Listen on all interfaces */ |
| 19 #define DROPBEAR_DEFADDRESS "" | 19 #define DROPBEAR_DEFADDRESS "" |
| 39 /* Include verbose debug output, enabled with -v at runtime. | 39 /* Include verbose debug output, enabled with -v at runtime. |
| 40 * This will add a reasonable amount to your executable size. */ | 40 * This will add a reasonable amount to your executable size. */ |
| 41 #define DEBUG_TRACE 0 | 41 #define DEBUG_TRACE 0 |
| 42 | 42 |
| 43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save | 43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save |
| 44 several kB in binary size however will make the symmetrical ciphers and hashes | 44 * several kB in binary size however will make the symmetrical ciphers and hashes |
| 45 slower, perhaps by 50%. Recommended for small systems that aren't doing | 45 * slower, perhaps by 50%. Recommended for small systems that aren't doing |
| 46 much traffic. */ | 46 * much traffic. */ |
| 47 #define DROPBEAR_SMALL_CODE 1 | 47 #define DROPBEAR_SMALL_CODE 1 |
| 48 | 48 |
| 49 /* Enable X11 Forwarding - server only */ | 49 /* Enable X11 Forwarding - server only */ |
| 50 #define DROPBEAR_X11FWD 1 | 50 #define DROPBEAR_X11FWD 1 |
| 51 | 51 |
| 52 /* Enable TCP Fowarding */ | 52 /* Enable TCP Fowarding */ |
| 53 /* 'Local' is "-L" style (client listening port forwarded via server) | 53 /* 'Local' is "-L" style (client listening port forwarded via server) |
| 54 * 'Remote' is "-R" style (server listening port forwarded via client) */ | 54 * 'Remote' is "-R" style (server listening port forwarded via client) */ |
| 55 | |
| 56 #define DROPBEAR_CLI_LOCALTCPFWD 1 | 55 #define DROPBEAR_CLI_LOCALTCPFWD 1 |
| 57 #define DROPBEAR_CLI_REMOTETCPFWD 1 | 56 #define DROPBEAR_CLI_REMOTETCPFWD 1 |
| 58 | 57 |
| 59 #define DROPBEAR_SVR_LOCALTCPFWD 1 | 58 #define DROPBEAR_SVR_LOCALTCPFWD 1 |
| 60 #define DROPBEAR_SVR_REMOTETCPFWD 1 | 59 #define DROPBEAR_SVR_REMOTETCPFWD 1 |
| 83 * Including both AES keysize variants (128 and 256) will result in | 82 * Including both AES keysize variants (128 and 256) will result in |
| 84 * a minimal size increase */ | 83 * a minimal size increase */ |
| 85 #define DROPBEAR_AES128 1 | 84 #define DROPBEAR_AES128 1 |
| 86 #define DROPBEAR_3DES 1 | 85 #define DROPBEAR_3DES 1 |
| 87 #define DROPBEAR_AES256 1 | 86 #define DROPBEAR_AES256 1 |
| 88 #define DROPBEAR_TWOFISH256 1 | 87 #define DROPBEAR_TWOFISH256 0 |
| 89 #define DROPBEAR_TWOFISH128 1 | 88 #define DROPBEAR_TWOFISH128 0 |
| 90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ | 89 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ |
| 91 #define DROPBEAR_BLOWFISH 0 | 90 #define DROPBEAR_BLOWFISH 0 |
| 92 | 91 |
| 93 /* Enable CBC mode for ciphers. This has security issues though | 92 /* Enable CBC mode for ciphers. This has security issues though |
| 94 * is the most compatible with older SSH implementations */ | 93 * is the most compatible with older SSH implementations */ |
| 96 | 95 |
| 97 /* Enable "Counter Mode" for ciphers. This is more secure than | 96 /* Enable "Counter Mode" for ciphers. This is more secure than |
| 98 * CBC mode against certain attacks. It is recommended for security | 97 * CBC mode against certain attacks. It is recommended for security |
| 99 * and forwards compatibility */ | 98 * and forwards compatibility */ |
| 100 #define DROPBEAR_ENABLE_CTR_MODE 1 | 99 #define DROPBEAR_ENABLE_CTR_MODE 1 |
| 101 | |
| 102 /* Twofish counter mode is disabled by default because it | |
| 103 has not been tested for interoperability with other SSH implementations. | |
| 104 If you test it please contact the Dropbear author */ | |
| 105 #define DROPBEAR_TWOFISH_CTR 0 | |
| 106 | 100 |
| 107 /* Message integrity. sha2-256 is recommended as a default, | 101 /* Message integrity. sha2-256 is recommended as a default, |
| 108 sha1 for compatibility */ | 102 sha1 for compatibility */ |
| 109 #define DROPBEAR_SHA1_HMAC 1 | 103 #define DROPBEAR_SHA1_HMAC 1 |
| 110 #define DROPBEAR_SHA1_96_HMAC 1 | 104 #define DROPBEAR_SHA1_96_HMAC 1 |
| 111 #define DROPBEAR_SHA2_256_HMAC 1 | 105 #define DROPBEAR_SHA2_256_HMAC 1 |
| 112 /* Default is to include it if sha512 is being compiled in for ECDSA */ | |
| 113 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA) | |
| 114 | |
| 115 /* XXX needed for fingerprints */ | |
| 116 #define DROPBEAR_MD5_HMAC 0 | |
| 117 | 106 |
| 118 /* Hostkey/public key algorithms - at least one required, these are used | 107 /* Hostkey/public key algorithms - at least one required, these are used |
| 119 * for hostkey as well as for verifying signatures with pubkey auth. | 108 * for hostkey as well as for verifying signatures with pubkey auth. |
| 120 * Removing either of these won't save very much space. | 109 * Removing either of these won't save very much space. |
| 121 * RSA is recommended | 110 * RSA is recommended |
| 137 connection using that key type occurs. | 126 connection using that key type occurs. |
| 138 This avoids the need to otherwise run "dropbearkey" and avoids some problems | 127 This avoids the need to otherwise run "dropbearkey" and avoids some problems |
| 139 with badly seeded /dev/urandom when systems first boot. */ | 128 with badly seeded /dev/urandom when systems first boot. */ |
| 140 #define DROPBEAR_DELAY_HOSTKEY 1 | 129 #define DROPBEAR_DELAY_HOSTKEY 1 |
| 141 | 130 |
| 142 /* Enable Curve25519 for key exchange. This is another elliptic | |
| 143 * curve method with good security properties. Increases binary size | |
| 144 * by ~8kB on x86-64 */ | |
| 145 #define DROPBEAR_CURVE25519 1 | |
| 146 | |
| 147 /* Enable elliptic curve Diffie Hellman key exchange, see note about | |
| 148 * ECDSA above */ | |
| 149 #define DROPBEAR_ECDH 1 | |
| 150 | 131 |
| 151 /* Key exchange algorithm. | 132 /* Key exchange algorithm. |
| 133 | |
| 152 * group14_sha1 - 2048 bit, sha1 | 134 * group14_sha1 - 2048 bit, sha1 |
| 153 * group14_sha256 - 2048 bit, sha2-256 | 135 * group14_sha256 - 2048 bit, sha2-256 |
| 154 * group16 - 4096 bit, sha2-512 | 136 * group16 - 4096 bit, sha2-512 |
| 155 * group1 - 1024 bit, sha1 | 137 * group1 - 1024 bit, sha1 |
| 138 * curve25519 - elliptic curve DH | |
| 139 * ecdh - NIST elliptic curve DH (256, 384, 521) | |
| 156 * | 140 * |
| 141 * group1 is too small for security though is necessary if you need | |
| 142 compatibility with some implementations such as Dropbear versions < 0.53 | |
| 157 * group14 is supported by most implementations. | 143 * group14 is supported by most implementations. |
| 158 * group16 provides a greater strength level but is slower and increases binary size | 144 * group16 provides a greater strength level but is slower and increases binary size |
| 159 * group1 is too small for security though is necessary if you need | 145 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods |
| 160 compatibility with some implementations such as Dropbear versions < 0.53 | 146 * curve25519 increases binary size by ~8kB on x86-64 |
| 147 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 | |
| 148 | |
| 149 * Small systems should generally include either curve25519 or ecdh for performance. | |
| 150 * curve25519 is less widely supported but is faster | |
| 161 */ | 151 */ |
| 162 #define DROPBEAR_DH_GROUP1 1 | 152 #define DROPBEAR_DH_GROUP1 1 |
| 163 #define DROPBEAR_DH_GROUP14_SHA1 1 | 153 #define DROPBEAR_DH_GROUP14_SHA1 1 |
| 164 #define DROPBEAR_DH_GROUP14_SHA256 1 | 154 #define DROPBEAR_DH_GROUP14_SHA256 1 |
| 165 #define DROPBEAR_DH_GROUP16 0 | 155 #define DROPBEAR_DH_GROUP16 0 |
| 156 #define DROPBEAR_CURVE25519 1 | |
| 157 #define DROPBEAR_ECDH 1 | |
| 166 | 158 |
| 167 /* Control the memory/performance/compression tradeoff for zlib. | 159 /* Control the memory/performance/compression tradeoff for zlib. |
| 168 * Set windowBits=8 for least memory usage, see your system's | 160 * Set windowBits=8 for least memory usage, see your system's |
| 169 * zlib.h for full details. | 161 * zlib.h for full details. |
| 170 * Default settings (windowBits=15) will use 256kB for compression | 162 * Default settings (windowBits=15) will use 256kB for compression |
| 176 /* Whether to do reverse DNS lookups. */ | 168 /* Whether to do reverse DNS lookups. */ |
| 177 #define DO_HOST_LOOKUP 0 | 169 #define DO_HOST_LOOKUP 0 |
| 178 | 170 |
| 179 /* Whether to print the message of the day (MOTD). */ | 171 /* Whether to print the message of the day (MOTD). */ |
| 180 #define DO_MOTD 0 | 172 #define DO_MOTD 0 |
| 181 | |
| 182 /* The MOTD file path */ | |
| 183 #define MOTD_FILENAME "/etc/motd" | 173 #define MOTD_FILENAME "/etc/motd" |
| 184 | 174 |
| 185 /* Authentication Types - at least one required. | 175 /* Authentication Types - at least one required. |
| 186 RFC Draft requires pubkey auth, and recommends password */ | 176 RFC Draft requires pubkey auth, and recommends password */ |
| 187 #define DROPBEAR_SVR_PASSWORD_AUTH 1 | 177 #define DROPBEAR_SVR_PASSWORD_AUTH 1 |
| 221 #define DROPBEAR_CLI_ASKPASS_HELPER 0 | 211 #define DROPBEAR_CLI_ASKPASS_HELPER 0 |
| 222 | 212 |
| 223 /* Save a network roundtrip by sendng a real auth request immediately after | 213 /* Save a network roundtrip by sendng a real auth request immediately after |
| 224 * sending a query for the available methods. This is not yet enabled by default | 214 * sending a query for the available methods. This is not yet enabled by default |
| 225 since it could cause problems with non-compliant servers */ | 215 since it could cause problems with non-compliant servers */ |
| 226 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 | 216 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 |
| 227 | 217 |
| 228 /* Set this to use PRNGD or EGD instead of /dev/urandom */ | 218 /* Set this to use PRNGD or EGD instead of /dev/urandom */ |
| 229 #define DROPBEAR_USE_PRNGD 0 | 219 #define DROPBEAR_USE_PRNGD 0 |
| 230 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" | 220 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" |
| 231 | 221 |