comparison options.h @ 499:f3ca5ebc319a

Split options.h out into sysoptions.h for options that aren't usually user-changed
author Matt Johnston <matt@ucc.asn.au>
date Tue, 23 Sep 2008 16:02:51 +0000
parents 9f583f4d59a6
children d588e3ea557a 43bbe17d6ba0
comparison
equal deleted inserted replaced
498:3c0dc22bda20 499:f3ca5ebc319a
138 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 138 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
139 * It's useful for systems like OS X where standard password crypts don't work, 139 * It's useful for systems like OS X where standard password crypts don't work,
140 * but there's an interface via a PAM module - don't bother using it otherwise. 140 * but there's an interface via a PAM module - don't bother using it otherwise.
141 * You can't enable both PASSWORD and PAM. */ 141 * You can't enable both PASSWORD and PAM. */
142 142
143 //#define ENABLE_SVR_PASSWORD_AUTH 143 #define ENABLE_SVR_PASSWORD_AUTH
144 #define ENABLE_SVR_PAM_AUTH /* requires ./configure --enable-pam */ 144 /* PAM requires ./configure --enable-pam */
145 /* #define ENABLE_SVR_PAM_AUTH */
145 #define ENABLE_SVR_PUBKEY_AUTH 146 #define ENABLE_SVR_PUBKEY_AUTH
146 147
147 /* Wether to ake public key options in authorized_keys file into account */ 148 /* Wether to ake public key options in authorized_keys file into account */
148 #ifdef ENABLE_SVR_PUBKEY_AUTH 149 #ifdef ENABLE_SVR_PUBKEY_AUTH
149 #define ENABLE_SVR_PUBKEY_OPTIONS 150 #define ENABLE_SVR_PUBKEY_OPTIONS
246 247
247 /* Ensure that data is transmitted every KEEPALIVE seconds. This can 248 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
248 be overridden at runtime with -K. 0 disables keepalives */ 249 be overridden at runtime with -K. 0 disables keepalives */
249 #define DEFAULT_KEEPALIVE 0 250 #define DEFAULT_KEEPALIVE 0
250 251
251 /******************************************************************* 252 /* Some other defines (that mostly should be left alone) are defined
252 * You shouldn't edit below here unless you know you need to. 253 * in sysoptions.h */
253 *******************************************************************/ 254 #include "sysoptions.h"
254
255 #ifndef DROPBEAR_VERSION
256 #define DROPBEAR_VERSION "0.51"
257 #endif
258
259 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
260 #define PROGNAME "dropbear"
261
262 /* Spec recommends after one hour or 1 gigabyte of data. One hour
263 * is a bit too verbose, so we try 8 hours */
264 #ifndef KEX_REKEY_TIMEOUT
265 #define KEX_REKEY_TIMEOUT (3600 * 8)
266 #endif
267 #ifndef KEX_REKEY_DATA
268 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
269 #endif
270 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
271 #ifndef AUTH_TIMEOUT
272 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
273 #endif
274
275 /* Minimum key sizes for DSS and RSA */
276 #ifndef MIN_DSS_KEYLEN
277 #define MIN_DSS_KEYLEN 512
278 #endif
279 #ifndef MIN_RSA_KEYLEN
280 #define MIN_RSA_KEYLEN 512
281 #endif
282
283 #define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
284 #define MAX_BANNER_LINES 20 /* How many lines the client will display */
285
286 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have
287 * the clearenv() function */
288 #define ENV_SIZE 100
289
290 #define MAX_CMD_LEN 1024 /* max length of a command */
291 #define MAX_TERM_LEN 200 /* max length of TERM name */
292
293 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
294 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
295
296 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
297 ipv4 and ipv6 don't count twice */
298
299 /* Each port might have at least a v4 and a v6 address */
300 #define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3)
301
302 #define _PATH_TTY "/dev/tty"
303
304 #define _PATH_CP "/bin/cp"
305
306 /* success/failure defines */
307 #define DROPBEAR_SUCCESS 0
308 #define DROPBEAR_FAILURE -1
309
310 /* various algorithm identifiers */
311 #define DROPBEAR_KEX_DH_GROUP1 0
312
313 #define DROPBEAR_SIGNKEY_ANY 0
314 #define DROPBEAR_SIGNKEY_RSA 1
315 #define DROPBEAR_SIGNKEY_DSS 2
316 #define DROPBEAR_SIGNKEY_NONE 3
317
318 #define DROPBEAR_COMP_NONE 0
319 #define DROPBEAR_COMP_ZLIB 1
320
321 /* Required for pubkey auth */
322 #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
323 #define DROPBEAR_SIGNKEY_VERIFY
324 #endif
325
326 /* SHA1 is 20 bytes == 160 bits */
327 #define SHA1_HASH_SIZE 20
328 /* SHA512 is 64 bytes == 512 bits */
329 #define SHA512_HASH_SIZE 64
330 /* MD5 is 16 bytes = 128 bits */
331 #define MD5_HASH_SIZE 16
332
333 /* largest of MD5 and SHA1 */
334 #define MAX_MAC_LEN SHA1_HASH_SIZE
335
336
337 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
338 #define MAX_IV_LEN 20 /* must be same as max blocksize,
339 and >= SHA1_HASH_SIZE */
340 #define MAX_MAC_KEY 20
341
342 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
343 explicitly specified for all protocols (just
344 for algos) but seems valid */
345
346 #define MAX_PROPOSED_ALGO 20
347
348 /* size/count limits */
349 #define MIN_PACKET_LEN 16
350
351 #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))
352
353 /* for channel code */
354 #define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
355 #define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */
356
357 #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
358 RECV_WINDOWEXTEND bytes */
359 #define MAX_RECV_WINDOW (1024*1024) /* 1 MB should be enough */
360
361 #define MAX_CHANNELS 100 /* simple mem restriction, includes each tcp/x11
362 connection, so can't be _too_ small */
363
364 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
365 is the max length for a password etc */
366
367 /* For a 4096 bit DSS key, empirically determined */
368 #define MAX_PUBKEY_SIZE 1700
369 /* For a 4096 bit DSS key, empirically determined */
370 #define MAX_PRIVKEY_SIZE 1700
371
372 /* The maximum size of the bignum portion of the kexhash buffer */
373 /* Sect. 8 of the transport draft, K_S + e + f + K */
374 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
375
376 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
377 in a few years time.... */
378
379 #define DROPBEAR_MAX_CLI_PASS 1024
380
381 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
382 accept for keyb-interactive
383 auth */
384
385 #if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC)
386 #define DROPBEAR_AES_CBC
387 #endif
388
389 #if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC)
390 #define DROPBEAR_TWOFISH_CBC
391 #endif
392
393 #ifndef ENABLE_X11FWD
394 #define DISABLE_X11FWD
395 #endif
396
397 #ifndef ENABLE_AGENTFWD
398 #define DISABLE_AGENTFWD
399 #endif
400
401 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
402 #define ENABLE_CLI_ANYTCPFWD
403 #endif
404
405 #if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
406 #define DROPBEAR_TCP_ACCEPT
407 #endif
408
409 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
410 defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
411 defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD)
412 #define USING_LISTENERS
413 #endif
414
415 #if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
416 #define ENABLE_CLI_MULTIHOP
417 #endif
418
419 #if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
420 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
421 #endif
422
423 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
424 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
425 #endif
426
427 #if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET)
428 #error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once"
429 #endif
430
431 #if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET)
432 #error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h"
433 #endif
434
435 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
436 * code, if we're just compiling as client or server */
437 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
438
439 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
440 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
441
442 #elif defined(DROPBEAR_SERVER)
443
444 #define IS_DROPBEAR_SERVER 1
445 #define IS_DROPBEAR_CLIENT 0
446
447 #elif defined(DROPBEAR_CLIENT)
448
449 #define IS_DROPBEAR_SERVER 0
450 #define IS_DROPBEAR_CLIENT 1
451
452 #else
453 #error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected
454 #endif
455 255
456 #endif /* _OPTIONS_H_ */ 256 #endif /* _OPTIONS_H_ */