Mercurial > dropbear
comparison options.h @ 910:89555751c489 asm
merge up to 2013.63, improve ASM makefile rules a bit
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 27 Feb 2014 21:35:58 +0800 |
| parents | 49ed526daedc |
| children | bae0b34bc059 a0819ecfee0b |
comparison
equal
deleted
inserted
replaced
| 909:e4b75744acab | 910:89555751c489 |
|---|---|
| 3 * All rights reserved. See LICENSE for the license. */ | 3 * All rights reserved. See LICENSE for the license. */ |
| 4 | 4 |
| 5 #ifndef _OPTIONS_H_ | 5 #ifndef _OPTIONS_H_ |
| 6 #define _OPTIONS_H_ | 6 #define _OPTIONS_H_ |
| 7 | 7 |
| 8 /****************************************************************** | 8 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" |
| 9 * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" | 9 * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ |
| 10 * parts are to allow for commandline -DDROPBEAR_XXX options etc. | 10 |
| 11 ******************************************************************/ | 11 /* IMPORTANT: Many options will require "make clean" after changes */ |
| 12 | 12 |
| 13 #ifndef DROPBEAR_DEFPORT | 13 #ifndef DROPBEAR_DEFPORT |
| 14 #define DROPBEAR_DEFPORT "22" | 14 #define DROPBEAR_DEFPORT "22" |
| 15 #endif | 15 #endif |
| 16 | 16 |
| 23 #ifndef DSS_PRIV_FILENAME | 23 #ifndef DSS_PRIV_FILENAME |
| 24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" | 24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" |
| 25 #endif | 25 #endif |
| 26 #ifndef RSA_PRIV_FILENAME | 26 #ifndef RSA_PRIV_FILENAME |
| 27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" | 27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" |
| 28 #endif | |
| 29 #ifndef ECDSA_PRIV_FILENAME | |
| 30 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" | |
| 28 #endif | 31 #endif |
| 29 | 32 |
| 30 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens | 33 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens |
| 31 * on chosen ports and keeps accepting connections. This is the default. | 34 * on chosen ports and keeps accepting connections. This is the default. |
| 32 * | 35 * |
| 47 | 50 |
| 48 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save | 51 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save |
| 49 several kB in binary size however will make the symmetrical ciphers and hashes | 52 several kB in binary size however will make the symmetrical ciphers and hashes |
| 50 slower, perhaps by 50%. Recommended for small systems that aren't doing | 53 slower, perhaps by 50%. Recommended for small systems that aren't doing |
| 51 much traffic. */ | 54 much traffic. */ |
| 52 /*#define DROPBEAR_SMALL_CODE*/ | 55 #define DROPBEAR_SMALL_CODE |
| 53 | 56 |
| 54 /* Enable X11 Forwarding - server only */ | 57 /* Enable X11 Forwarding - server only */ |
| 55 #define ENABLE_X11FWD | 58 #define ENABLE_X11FWD |
| 56 | 59 |
| 57 /* Enable TCP Fowarding */ | 60 /* Enable TCP Fowarding */ |
| 124 /*#define DROPBEAR_SHA2_512_HMAC*/ | 127 /*#define DROPBEAR_SHA2_512_HMAC*/ |
| 125 #define DROPBEAR_MD5_HMAC | 128 #define DROPBEAR_MD5_HMAC |
| 126 | 129 |
| 127 /* You can also disable integrity. Don't bother disabling this if you're | 130 /* You can also disable integrity. Don't bother disabling this if you're |
| 128 * still using a cipher, it's relatively cheap. If you disable this it's dead | 131 * still using a cipher, it's relatively cheap. If you disable this it's dead |
| 129 * simple to run arbitrary commands on the remote host. Beware. */ | 132 * simple for an attacker to run arbitrary commands on the remote host. Beware. */ |
| 130 /* #define DROPBEAR_NONE_INTEGRITY */ | 133 /* #define DROPBEAR_NONE_INTEGRITY */ |
| 131 | 134 |
| 132 /* Hostkey/public key algorithms - at least one required, these are used | 135 /* Hostkey/public key algorithms - at least one required, these are used |
| 133 * for hostkey as well as for verifying signatures with pubkey auth. | 136 * for hostkey as well as for verifying signatures with pubkey auth. |
| 134 * Removing either of these won't save very much space. | 137 * Removing either of these won't save very much space. |
| 135 * SSH2 RFC Draft requires dss, recommends rsa */ | 138 * SSH2 RFC Draft requires dss, recommends rsa */ |
| 136 #define DROPBEAR_RSA | 139 #define DROPBEAR_RSA |
| 137 #define DROPBEAR_DSS | 140 #define DROPBEAR_DSS |
| 138 | 141 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC |
| 139 /* RSA can be vulnerable to timing attacks which use the time required for | 142 * code (either ECDSA or ECDH) increases binary size - around 30kB |
| 140 * signing to guess the private key. Blinding avoids this attack, though makes | 143 * on x86-64 */ |
| 141 * signing operations slightly slower. */ | 144 #define DROPBEAR_ECDSA |
| 142 #define RSA_BLINDING | 145 |
| 146 /* Generate hostkeys as-needed when the first connection using that key type occurs. | |
| 147 This avoids the need to otherwise run "dropbearkey" and avoids some problems | |
| 148 with badly seeded /dev/urandom when systems first boot. | |
| 149 This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly | |
| 150 anything if dropbearkey is linked in a "dropbearmulti" binary) */ | |
| 151 #define DROPBEAR_DELAY_HOSTKEY | |
| 152 | |
| 153 /* Enable Curve25519 for key exchange. This is another elliptic | |
| 154 * curve method with good security properties. Increases binary size | |
| 155 * by ~8kB on x86-64 */ | |
| 156 #define DROPBEAR_CURVE25519 | |
| 157 | |
| 158 /* Enable elliptic curve Diffie Hellman key exchange, see note about | |
| 159 * ECDSA above */ | |
| 160 #define DROPBEAR_ECDH | |
| 143 | 161 |
| 144 /* Control the memory/performance/compression tradeoff for zlib. | 162 /* Control the memory/performance/compression tradeoff for zlib. |
| 145 * Set windowBits=8 for least memory usage, see your system's | 163 * Set windowBits=8 for least memory usage, see your system's |
| 146 * zlib.h for full details. | 164 * zlib.h for full details. |
| 147 * Default settings (windowBits=15) will use 256kB for compression | 165 * Default settings (windowBits=15) will use 256kB for compression |
| 151 #ifndef DROPBEAR_ZLIB_WINDOW_BITS | 169 #ifndef DROPBEAR_ZLIB_WINDOW_BITS |
| 152 #define DROPBEAR_ZLIB_WINDOW_BITS 15 | 170 #define DROPBEAR_ZLIB_WINDOW_BITS 15 |
| 153 #endif | 171 #endif |
| 154 | 172 |
| 155 /* Whether to do reverse DNS lookups. */ | 173 /* Whether to do reverse DNS lookups. */ |
| 156 //#define DO_HOST_LOOKUP | 174 /*#define DO_HOST_LOOKUP */ |
| 157 | 175 |
| 158 /* Whether to print the message of the day (MOTD). This doesn't add much code | 176 /* Whether to print the message of the day (MOTD). This doesn't add much code |
| 159 * size */ | 177 * size */ |
| 160 #define DO_MOTD | 178 #define DO_MOTD |
| 161 | 179 |
| 174 * PAM challenge/response. | 192 * PAM challenge/response. |
| 175 * You can't enable both PASSWORD and PAM. */ | 193 * You can't enable both PASSWORD and PAM. */ |
| 176 | 194 |
| 177 #define ENABLE_SVR_PASSWORD_AUTH | 195 #define ENABLE_SVR_PASSWORD_AUTH |
| 178 /* PAM requires ./configure --enable-pam */ | 196 /* PAM requires ./configure --enable-pam */ |
| 179 //#define ENABLE_SVR_PAM_AUTH | 197 /*#define ENABLE_SVR_PAM_AUTH */ |
| 180 #define ENABLE_SVR_PUBKEY_AUTH | 198 #define ENABLE_SVR_PUBKEY_AUTH |
| 181 | 199 |
| 182 /* Whether to take public key options in | 200 /* Whether to take public key options in |
| 183 * authorized_keys file into account */ | 201 * authorized_keys file into account */ |
| 184 #ifdef ENABLE_SVR_PUBKEY_AUTH | 202 #ifdef ENABLE_SVR_PUBKEY_AUTH |
| 202 * specified in the SSH_ASKPASS environment variable, and dbclient | 220 * specified in the SSH_ASKPASS environment variable, and dbclient |
| 203 * should be run with DISPLAY set and no tty. The program should | 221 * should be run with DISPLAY set and no tty. The program should |
| 204 * return the password on standard output */ | 222 * return the password on standard output */ |
| 205 /*#define ENABLE_CLI_ASKPASS_HELPER*/ | 223 /*#define ENABLE_CLI_ASKPASS_HELPER*/ |
| 206 | 224 |
| 207 /* Send a real auth request first rather than requesting a list of available methods. | 225 /* Save a network roundtrip by sendng a real auth request immediately after |
| 208 * It saves a network round trip at login but prevents immediate login to | 226 * sending a query for the available methods. It is at the expense of < 100 |
| 209 * accounts with no password, and might be rejected by some strict servers (none | 227 * bytes of extra network traffic. This is not yet enabled by default since it |
| 210 * encountered yet) - hence it isn't enabled by default. */ | 228 * could cause problems with non-compliant servers */ |
| 211 /* #define CLI_IMMEDIATE_AUTH */ | 229 /* #define DROPBEAR_CLI_IMMEDIATE_AUTH */ |
| 212 | |
| 213 | 230 |
| 214 /* Source for randomness. This must be able to provide hundreds of bytes per SSH | 231 /* Source for randomness. This must be able to provide hundreds of bytes per SSH |
| 215 * connection without blocking. In addition /dev/random is used for seeding | 232 * connection without blocking. In addition /dev/random is used for seeding |
| 216 * rsa/dss key generation */ | 233 * rsa/dss key generation */ |
| 217 #define DROPBEAR_URANDOM_DEV "/dev/urandom" | 234 #define DROPBEAR_URANDOM_DEV "/dev/urandom" |