Mercurial > dropbear

comparison options.h @ 4:fe6bca95afa7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Makefile.in contains updated files required
author Matt Johnston <matt@ucc.asn.au>
date Tue, 01 Jun 2004 02:46:09 +0000
parents
children 7f77962de998
comparison
equal deleted inserted replaced
-1:000000000000 4:fe6bca95afa7
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25 #ifndef _OPTIONS_H_
26 #define _OPTIONS_H_
27
28 /******************************************************************
29 * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
30 * parts are to allow for commandline -DDROPBEAR_XXX options etc.
31 ******************************************************************/
32 #define DROPBEAR_SERVER
33 /* #define DROPBEAR_CLIENT */
34
35 #ifndef DROPBEAR_PORT
36 #define DROPBEAR_PORT 22
37 #endif
38
39 /* Default hostkey paths - these can be specified on the command line */
40 #ifndef DSS_PRIV_FILENAME
41 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
42 #endif
43 #ifndef RSA_PRIV_FILENAME
44 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
45 #endif
46
47 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
48 * perhaps 20% slower for pubkey operations (it is probably worth experimenting
49 * if you want to use this) */
50 /*#define NO_FAST_EXPTMOD*/
51
52 /* Enable X11 Forwarding */
53 #define ENABLE_X11FWD
54
55 /* Enable TCP Fowarding */
56 /* OpenSSH's "-L" style forwarding (client port forwarded via server) */
57 #define ENABLE_LOCALTCPFWD
58 /* OpenSSH's "-R" style forwarding (server port forwarded via client) */
59 #define ENABLE_REMOTETCPFWD
60
61 /* Enable Authentication Agent Forwarding */
62 #define ENABLE_AGENTFWD
63
64 /* Encryption - at least one required.
65 * RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */
66 #define DROPBEAR_AES128_CBC
67 #define DROPBEAR_BLOWFISH_CBC
68 #define DROPBEAR_TWOFISH128_CBC
69 #define DROPBEAR_3DES_CBC
70
71 /* Integrity - at least one required.
72 * RFC Draft requires sha1-hmac, and recommends md5-hmac.
73 *
74 * Note: there's no point disabling sha1 to save space, since it's used in the
75 * for the random number generator and public-key cryptography anyway.
76 * Disabling it here will just stop it from being used as the integrity portion
77 * of the ssh protocol.
78 *
79 * These are also used for key fingerprints in logs (when pubkey auth is used),
80 * MD5 fingerprints are printed if available, however SHA1 fingerprints will be
81 * generated otherwise. This isn't exactly optimal, although SHA1 fingerprints
82 * are not too hard to create from pubkeys if required. */
83 #define DROPBEAR_SHA1_HMAC
84 #define DROPBEAR_MD5_HMAC
85
86 /* Hostkey/public key algorithms - at least one required, these are used
87 * for hostkey as well as for verifying signatures with pubkey auth.
88 * Removing either of these won't save very much space.
89 * SSH2 RFC Draft requires dss, recommends rsa */
90 #define DROPBEAR_RSA
91 #define DROPBEAR_DSS
92
93 /* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
94 * rather than just from the random byte source. Undefining this will save you
95 * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
96 * if the random number source isn't good. In general this isn't required */
97 /* #define DSS_PROTOK */
98
99 /* Whether to do reverse DNS lookups. This is advisable, though will add
100 * code size with gethostbyname() etc, so for very small environments where
101 * you are statically linking, you might want to undefine this */
102 #define DO_HOST_LOOKUP
103
104 /* Whether to print the message of the day (MOTD). This doesn't add much code
105 * size */
106 #define DO_MOTD
107
108 /* The MOTD file path */
109 #ifndef MOTD_FILENAME
110 #define MOTD_FILENAME "/etc/motd"
111 #endif
112
113 /* Authentication types to enable, at least one required.
114 RFC Draft requires pubkey auth, and recommends password */
115 #define DROPBEAR_PASSWORD_AUTH
116 #define DROPBEAR_PUBKEY_AUTH
117
118 /* Random device to use - you must specify _one only_.
119 * DEV_RANDOM is recommended on hosts with a good /dev/urandom, otherwise use
120 * PRNGD and run prngd, specifying the socket. This device must be able to
121 * produce a large amount of random data, so using /dev/random or Entropy
122 * Gathering Daemon (egd) may result in halting, as it waits for more random
123 * data */
124 #define DROPBEAR_DEV_URANDOM /* use /dev/urandom */
125
126 /*#undef DROPBEAR_PRNGD */ /* use prngd socket - you must manually set up prngd
127 to produce output */
128 #ifndef DROPBEAR_PRNGD_SOCKET
129 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
130 #endif
131
132 /* Specify the number of clients we will allow to be connected but
133 * not yet authenticated. After this limit, connections are rejected */
134 #ifndef MAX_UNAUTH_CLIENTS
135 #define MAX_UNAUTH_CLIENTS 30
136 #endif
137
138 /* Maximum number of failed authentication tries */
139 #ifndef MAX_AUTH_TRIES
140 #define MAX_AUTH_TRIES 10
141 #endif
142
143 /* The file to store the daemon's process ID, for shutdown scripts etc */
144 #ifndef DROPBEAR_PIDFILE
145 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
146 #endif
147
148 /* The command to invoke for xauth when using X11 forwarding.
149 * "-q" for quiet */
150 #ifndef XAUTH_COMMAND
151 #define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q"
152 #endif
153
154 /* if you want to enable running an sftp server (such as the one included with
155 * OpenSSH), set the path below. If the path isn't defined, sftp will not
156 * be enabled */
157 #ifndef SFTPSERVER_PATH
158 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
159 #endif
160
161 /* This is used by the scp binary when used as a client binary */
162 #define _PATH_SSH_PROGRAM "/usr/bin/ssh"
163
164 /* Multi-purpose binary configuration - if you want to make the combined
165 * binary, first define DROPBEAR_MULTI, and then define which of the three
166 * components you want. You should then compile Dropbear with
167 * "make clean; make dropbearmulti". You'll need to install the binary
168 * manually, see MULTI for details */
169
170 /* #define DROPBEAR_MULTI */
171
172 /* The three multi binaries: dropbear, dropbearkey, dropbearconvert
173 * Comment out these if you don't want some of them */
174 #define DBMULTI_DROPBEAR
175 #define DBMULTI_KEY
176 #define DBMULTI_CONVERT
177
178
179 /*******************************************************************
180 * You shouldn't edit below here unless you know you need to.
181 *******************************************************************/
182
183 #ifndef DROPBEAR_VERSION
184 #define DROPBEAR_VERSION "0.41"
185 #endif
186
187 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
188 #define PROGNAME "dropbear"
189
190 /* Spec recommends after one hour or 1 gigabyte of data. One hour
191 * is a bit too verbose, so we try 8 hours */
192 #ifndef KEX_REKEY_TIMEOUT
193 #define KEX_REKEY_TIMEOUT (3600 * 8)
194 #endif
195 #ifndef KEX_REKEY_DATA
196 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
197 #endif
198 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
199 #ifndef AUTH_TIMEOUT
200 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
201 #endif
202
203 /* Minimum key sizes for DSS and RSA */
204 #ifndef MIN_DSS_KEYLEN
205 #define MIN_DSS_KEYLEN 512
206 #endif
207 #ifndef MIN_RSA_KEYLEN
208 #define MIN_RSA_KEYLEN 512
209 #endif
210
211 #define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
212
213 #define DEV_URANDOM "/dev/urandom"
214
215 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have
216 * the clearenv() function */
217 #define ENV_SIZE 100
218
219 #define MAX_CMD_LEN 1024 /* max length of a command */
220 #define MAX_TERM_LEN 200 /* max length of TERM name */
221
222 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
223 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
224
225 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
226 ipv4 and ipv6 don't count twice */
227
228 #define _PATH_TTY "/dev/tty"
229
230 /* Timeouts in seconds */
231 #define SELECT_TIMEOUT 20
232
233 /* success/failure defines */
234 #define DROPBEAR_SUCCESS 0
235 #define DROPBEAR_FAILURE -1
236
237 /* various algorithm identifiers */
238 #define DROPBEAR_KEX_DH_GROUP1 0
239
240 #define DROPBEAR_SIGNKEY_ANY 0
241 #define DROPBEAR_SIGNKEY_RSA 1
242 #define DROPBEAR_SIGNKEY_DSS 2
243
244 #define DROPBEAR_COMP_NONE 0
245 #define DROPBEAR_COMP_ZLIB 1
246
247 /* Required for pubkey auth */
248 #ifdef DROPBEAR_PUBKEY_AUTH
249 #define DROPBEAR_SIGNKEY_VERIFY
250 #endif
251
252 /* SHA1 is 20 bytes == 160 bits */
253 #define SHA1_HASH_SIZE 20
254 /* SHA512 is 64 bytes == 512 bits */
255 #define SHA512_HASH_SIZE 64
256 /* MD5 is 16 bytes = 128 bits */
257 #define MD5_HASH_SIZE 16
258
259 /* largest of MD5 and SHA1 */
260 #define MAX_MAC_LEN SHA1_HASH_SIZE
261
262
263 #define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */
264 #define MAX_IV_LEN 20 /* must be same as max blocksize,
265 and >= SHA1_HASH_SIZE */
266 #define MAX_MAC_KEY 20
267
268 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
269 explicitly specified for all protocols (just
270 for algos) but seems valid */
271
272 #define MAX_PROPOSED_ALGO 20
273
274 /* size/count limits */
275 #define MAX_LISTEN_ADDR 10
276
277 #define MAX_PACKET_LEN 35000
278 #define MIN_PACKET_LEN 16
279 #define MAX_PAYLOAD_LEN 32768
280
281 #define MAX_TRANS_PAYLOAD_LEN 32768
282 #define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50)
283
284 #define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
285 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */
286
287 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
288 is the max length for a password etc */
289
290 #ifndef ENABLE_X11FWD
291 #define DISABLE_X11FWD
292 #endif
293
294 #ifndef ENABLE_AGENTFWD
295 #define DISABLE_AGENTFWD
296 #endif
297
298 #ifndef ENABLE_LOCALTCPFWD
299 #define DISABLE_LOCALTCPFWD
300 #endif
301
302 #ifndef ENABLE_REMOTETCPFWD
303 #define DISABLE_REMOTETCPFWD
304 #endif
305
306 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
307 * code, if we're just compiling as client or server */
308 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
309
310 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
311 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
312
313 #elif defined(DROPBEAR_SERVER)
314
315 #define IS_DROPBEAR_SERVER 1
316 #define IS_DROPBEAR_CLIENT 0
317
318 #elif defined(DROPBEAR_CLIENT)
319
320 #define IS_DROPBEAR_SERVER 0
321 #define IS_DROPBEAR_CLIENT 1
322
323 #else
324 #error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected
325 #endif
326
327 #endif /* _OPTIONS_H_ */