Mercurial > dropbear
comparison options.h @ 681:a4b7627b3157 insecure-nocrypto
Update insecure-nocrypto to current head
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 16 May 2012 22:54:51 +0800 |
| parents | bd4b5d7886e5 0129fd8ccc71 |
| children | c37857676924 |
comparison
equal
deleted
inserted
replaced
| 680:bd4b5d7886e5 | 681:a4b7627b3157 |
|---|---|
| 95 /* Enable "Counter Mode" for ciphers. This is more secure than normal | 95 /* Enable "Counter Mode" for ciphers. This is more secure than normal |
| 96 * CBC mode against certain attacks. This adds around 1kB to binary | 96 * CBC mode against certain attacks. This adds around 1kB to binary |
| 97 * size and is recommended for most cases */ | 97 * size and is recommended for most cases */ |
| 98 #define DROPBEAR_ENABLE_CTR_MODE | 98 #define DROPBEAR_ENABLE_CTR_MODE |
| 99 | 99 |
| 100 /* You can compile with no encryption if you want. In some circumstances | |
| 101 * this could be safe security-wise, though make sure you know what | |
| 102 * you're doing. Anyone can see everything that goes over the wire, so | |
| 103 * the only safe auth method is public key. You'll have to disable all other | |
| 104 * ciphers above in the client if you want to use this, or implement cipher | |
| 105 * prioritisation in cli-runopts. | |
| 106 * | |
| 107 * The best way to do things is probably make normal compile of dropbear with | |
| 108 * all ciphers including "none" as the server, then recompile a special | |
| 109 * "dbclient-insecure" client. */ | |
| 110 /* #define DROPBEAR_NONE_CIPHER */ | |
| 111 | |
| 100 /* Message Integrity - at least one required. | 112 /* Message Integrity - at least one required. |
| 101 * Protocol RFC requires sha1 and recommends sha1-96. | 113 * Protocol RFC requires sha1 and recommends sha1-96. |
| 102 * sha1-96 is of use for slow links as it has a smaller overhead. | 114 * sha1-96 is of use for slow links as it has a smaller overhead. |
| 103 * | 115 * |
| 104 * There's no reason to disable sha1 or sha1-96 to save space since it's | 116 * There's no reason to disable sha1 or sha1-96 to save space since it's |
| 107 * of the ssh protocol. | 119 * of the ssh protocol. |
| 108 * | 120 * |
| 109 * These hashes are also used for public key fingerprints in logs. | 121 * These hashes are also used for public key fingerprints in logs. |
| 110 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, | 122 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, |
| 111 * which are not the standard form. */ | 123 * which are not the standard form. */ |
| 112 | |
| 113 #define DROPBEAR_SHA1_HMAC | 124 #define DROPBEAR_SHA1_HMAC |
| 114 #define DROPBEAR_SHA1_96_HMAC | 125 #define DROPBEAR_SHA1_96_HMAC |
| 115 /*#define DROPBEAR_SHA2_256_HMAC*/ | 126 /*#define DROPBEAR_SHA2_256_HMAC*/ |
| 116 /*#define DROPBEAR_SHA2_512_HMAC*/ | 127 /*#define DROPBEAR_SHA2_512_HMAC*/ |
| 117 #define DROPBEAR_MD5_HMAC | 128 #define DROPBEAR_MD5_HMAC |
| 129 | |
| 130 /* You can also disable integrity. Don't bother disabling this if you're | |
| 131 * still using a cipher, it's relatively cheap. If you disable this it's dead | |
| 132 * simple to run arbitrary commands on the remote host. Beware. | |
| 133 * Note again, for the client you will have to disable other hashes above | |
| 134 * to use this. */ | |
| 135 /* #define DROPBEAR_NONE_INTEGRITY */ | |
| 118 | 136 |
| 119 /* Hostkey/public key algorithms - at least one required, these are used | 137 /* Hostkey/public key algorithms - at least one required, these are used |
| 120 * for hostkey as well as for verifying signatures with pubkey auth. | 138 * for hostkey as well as for verifying signatures with pubkey auth. |
| 121 * Removing either of these won't save very much space. | 139 * Removing either of these won't save very much space. |
| 122 * SSH2 RFC Draft requires dss, recommends rsa */ | 140 * SSH2 RFC Draft requires dss, recommends rsa */ |