Mercurial > dropbear
comparison default_options.h.in @ 1517:7c7c5326ad73
clean up some default options
- move hmac-sha2-512, hmac-md5, twofish_ctr to sysoptions.h, off by default
- try and improve text for KEX methods
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 18 Feb 2018 22:27:51 +0800 |
parents | 6c16a05023aa |
children |
comparison
equal
deleted
inserted
replaced
1516:33b872649eb7 | 1517:7c7c5326ad73 |
---|---|
7 | 7 |
8 Local customisation should be added to localoptions.h which is | 8 Local customisation should be added to localoptions.h which is |
9 used if it exists. Options defined there will override any options in this | 9 used if it exists. Options defined there will override any options in this |
10 file. | 10 file. |
11 | 11 |
12 Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS | 12 Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS |
13 | 13 |
14 IMPORTANT: Many options will require "make clean" after changes */ | 14 IMPORTANT: Some options will require "make clean" after changes */ |
15 | 15 |
16 #define DROPBEAR_DEFPORT "22" | 16 #define DROPBEAR_DEFPORT "22" |
17 | 17 |
18 /* Listen on all interfaces */ | 18 /* Listen on all interfaces */ |
19 #define DROPBEAR_DEFADDRESS "" | 19 #define DROPBEAR_DEFADDRESS "" |
39 /* Include verbose debug output, enabled with -v at runtime. | 39 /* Include verbose debug output, enabled with -v at runtime. |
40 * This will add a reasonable amount to your executable size. */ | 40 * This will add a reasonable amount to your executable size. */ |
41 #define DEBUG_TRACE 0 | 41 #define DEBUG_TRACE 0 |
42 | 42 |
43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save | 43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save |
44 several kB in binary size however will make the symmetrical ciphers and hashes | 44 * several kB in binary size however will make the symmetrical ciphers and hashes |
45 slower, perhaps by 50%. Recommended for small systems that aren't doing | 45 * slower, perhaps by 50%. Recommended for small systems that aren't doing |
46 much traffic. */ | 46 * much traffic. */ |
47 #define DROPBEAR_SMALL_CODE 1 | 47 #define DROPBEAR_SMALL_CODE 1 |
48 | 48 |
49 /* Enable X11 Forwarding - server only */ | 49 /* Enable X11 Forwarding - server only */ |
50 #define DROPBEAR_X11FWD 1 | 50 #define DROPBEAR_X11FWD 1 |
51 | 51 |
52 /* Enable TCP Fowarding */ | 52 /* Enable TCP Fowarding */ |
53 /* 'Local' is "-L" style (client listening port forwarded via server) | 53 /* 'Local' is "-L" style (client listening port forwarded via server) |
54 * 'Remote' is "-R" style (server listening port forwarded via client) */ | 54 * 'Remote' is "-R" style (server listening port forwarded via client) */ |
55 | |
56 #define DROPBEAR_CLI_LOCALTCPFWD 1 | 55 #define DROPBEAR_CLI_LOCALTCPFWD 1 |
57 #define DROPBEAR_CLI_REMOTETCPFWD 1 | 56 #define DROPBEAR_CLI_REMOTETCPFWD 1 |
58 | 57 |
59 #define DROPBEAR_SVR_LOCALTCPFWD 1 | 58 #define DROPBEAR_SVR_LOCALTCPFWD 1 |
60 #define DROPBEAR_SVR_REMOTETCPFWD 1 | 59 #define DROPBEAR_SVR_REMOTETCPFWD 1 |
83 * Including both AES keysize variants (128 and 256) will result in | 82 * Including both AES keysize variants (128 and 256) will result in |
84 * a minimal size increase */ | 83 * a minimal size increase */ |
85 #define DROPBEAR_AES128 1 | 84 #define DROPBEAR_AES128 1 |
86 #define DROPBEAR_3DES 1 | 85 #define DROPBEAR_3DES 1 |
87 #define DROPBEAR_AES256 1 | 86 #define DROPBEAR_AES256 1 |
88 #define DROPBEAR_TWOFISH256 1 | 87 #define DROPBEAR_TWOFISH256 0 |
89 #define DROPBEAR_TWOFISH128 1 | 88 #define DROPBEAR_TWOFISH128 0 |
90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ | 89 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ |
91 #define DROPBEAR_BLOWFISH 0 | 90 #define DROPBEAR_BLOWFISH 0 |
92 | 91 |
93 /* Enable CBC mode for ciphers. This has security issues though | 92 /* Enable CBC mode for ciphers. This has security issues though |
94 * is the most compatible with older SSH implementations */ | 93 * is the most compatible with older SSH implementations */ |
96 | 95 |
97 /* Enable "Counter Mode" for ciphers. This is more secure than | 96 /* Enable "Counter Mode" for ciphers. This is more secure than |
98 * CBC mode against certain attacks. It is recommended for security | 97 * CBC mode against certain attacks. It is recommended for security |
99 * and forwards compatibility */ | 98 * and forwards compatibility */ |
100 #define DROPBEAR_ENABLE_CTR_MODE 1 | 99 #define DROPBEAR_ENABLE_CTR_MODE 1 |
101 | |
102 /* Twofish counter mode is disabled by default because it | |
103 has not been tested for interoperability with other SSH implementations. | |
104 If you test it please contact the Dropbear author */ | |
105 #define DROPBEAR_TWOFISH_CTR 0 | |
106 | 100 |
107 /* Message integrity. sha2-256 is recommended as a default, | 101 /* Message integrity. sha2-256 is recommended as a default, |
108 sha1 for compatibility */ | 102 sha1 for compatibility */ |
109 #define DROPBEAR_SHA1_HMAC 1 | 103 #define DROPBEAR_SHA1_HMAC 1 |
110 #define DROPBEAR_SHA1_96_HMAC 1 | 104 #define DROPBEAR_SHA1_96_HMAC 1 |
111 #define DROPBEAR_SHA2_256_HMAC 1 | 105 #define DROPBEAR_SHA2_256_HMAC 1 |
112 /* Default is to include it if sha512 is being compiled in for ECDSA */ | |
113 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA) | |
114 | |
115 /* XXX needed for fingerprints */ | |
116 #define DROPBEAR_MD5_HMAC 0 | |
117 | 106 |
118 /* Hostkey/public key algorithms - at least one required, these are used | 107 /* Hostkey/public key algorithms - at least one required, these are used |
119 * for hostkey as well as for verifying signatures with pubkey auth. | 108 * for hostkey as well as for verifying signatures with pubkey auth. |
120 * Removing either of these won't save very much space. | 109 * Removing either of these won't save very much space. |
121 * RSA is recommended | 110 * RSA is recommended |
137 connection using that key type occurs. | 126 connection using that key type occurs. |
138 This avoids the need to otherwise run "dropbearkey" and avoids some problems | 127 This avoids the need to otherwise run "dropbearkey" and avoids some problems |
139 with badly seeded /dev/urandom when systems first boot. */ | 128 with badly seeded /dev/urandom when systems first boot. */ |
140 #define DROPBEAR_DELAY_HOSTKEY 1 | 129 #define DROPBEAR_DELAY_HOSTKEY 1 |
141 | 130 |
142 /* Enable Curve25519 for key exchange. This is another elliptic | |
143 * curve method with good security properties. Increases binary size | |
144 * by ~8kB on x86-64 */ | |
145 #define DROPBEAR_CURVE25519 1 | |
146 | |
147 /* Enable elliptic curve Diffie Hellman key exchange, see note about | |
148 * ECDSA above */ | |
149 #define DROPBEAR_ECDH 1 | |
150 | 131 |
151 /* Key exchange algorithm. | 132 /* Key exchange algorithm. |
133 | |
152 * group14_sha1 - 2048 bit, sha1 | 134 * group14_sha1 - 2048 bit, sha1 |
153 * group14_sha256 - 2048 bit, sha2-256 | 135 * group14_sha256 - 2048 bit, sha2-256 |
154 * group16 - 4096 bit, sha2-512 | 136 * group16 - 4096 bit, sha2-512 |
155 * group1 - 1024 bit, sha1 | 137 * group1 - 1024 bit, sha1 |
138 * curve25519 - elliptic curve DH | |
139 * ecdh - NIST elliptic curve DH (256, 384, 521) | |
156 * | 140 * |
141 * group1 is too small for security though is necessary if you need | |
142 compatibility with some implementations such as Dropbear versions < 0.53 | |
157 * group14 is supported by most implementations. | 143 * group14 is supported by most implementations. |
158 * group16 provides a greater strength level but is slower and increases binary size | 144 * group16 provides a greater strength level but is slower and increases binary size |
159 * group1 is too small for security though is necessary if you need | 145 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods |
160 compatibility with some implementations such as Dropbear versions < 0.53 | 146 * curve25519 increases binary size by ~8kB on x86-64 |
147 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 | |
148 | |
149 * Small systems should generally include either curve25519 or ecdh for performance. | |
150 * curve25519 is less widely supported but is faster | |
161 */ | 151 */ |
162 #define DROPBEAR_DH_GROUP1 1 | 152 #define DROPBEAR_DH_GROUP1 1 |
163 #define DROPBEAR_DH_GROUP14_SHA1 1 | 153 #define DROPBEAR_DH_GROUP14_SHA1 1 |
164 #define DROPBEAR_DH_GROUP14_SHA256 1 | 154 #define DROPBEAR_DH_GROUP14_SHA256 1 |
165 #define DROPBEAR_DH_GROUP16 0 | 155 #define DROPBEAR_DH_GROUP16 0 |
156 #define DROPBEAR_CURVE25519 1 | |
157 #define DROPBEAR_ECDH 1 | |
166 | 158 |
167 /* Control the memory/performance/compression tradeoff for zlib. | 159 /* Control the memory/performance/compression tradeoff for zlib. |
168 * Set windowBits=8 for least memory usage, see your system's | 160 * Set windowBits=8 for least memory usage, see your system's |
169 * zlib.h for full details. | 161 * zlib.h for full details. |
170 * Default settings (windowBits=15) will use 256kB for compression | 162 * Default settings (windowBits=15) will use 256kB for compression |
176 /* Whether to do reverse DNS lookups. */ | 168 /* Whether to do reverse DNS lookups. */ |
177 #define DO_HOST_LOOKUP 0 | 169 #define DO_HOST_LOOKUP 0 |
178 | 170 |
179 /* Whether to print the message of the day (MOTD). */ | 171 /* Whether to print the message of the day (MOTD). */ |
180 #define DO_MOTD 0 | 172 #define DO_MOTD 0 |
181 | |
182 /* The MOTD file path */ | |
183 #define MOTD_FILENAME "/etc/motd" | 173 #define MOTD_FILENAME "/etc/motd" |
184 | 174 |
185 /* Authentication Types - at least one required. | 175 /* Authentication Types - at least one required. |
186 RFC Draft requires pubkey auth, and recommends password */ | 176 RFC Draft requires pubkey auth, and recommends password */ |
187 #define DROPBEAR_SVR_PASSWORD_AUTH 1 | 177 #define DROPBEAR_SVR_PASSWORD_AUTH 1 |
221 #define DROPBEAR_CLI_ASKPASS_HELPER 0 | 211 #define DROPBEAR_CLI_ASKPASS_HELPER 0 |
222 | 212 |
223 /* Save a network roundtrip by sendng a real auth request immediately after | 213 /* Save a network roundtrip by sendng a real auth request immediately after |
224 * sending a query for the available methods. This is not yet enabled by default | 214 * sending a query for the available methods. This is not yet enabled by default |
225 since it could cause problems with non-compliant servers */ | 215 since it could cause problems with non-compliant servers */ |
226 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 | 216 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 |
227 | 217 |
228 /* Set this to use PRNGD or EGD instead of /dev/urandom */ | 218 /* Set this to use PRNGD or EGD instead of /dev/urandom */ |
229 #define DROPBEAR_USE_PRNGD 0 | 219 #define DROPBEAR_USE_PRNGD 0 |
230 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" | 220 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" |
231 | 221 |