Mercurial > dropbear
comparison options.h @ 847:f4bb964c8678 keyondemand
Add '-R' for delayed hostkey option
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 07 Nov 2013 23:49:37 +0800 |
| parents | b298bb438625 |
| children | 754d7bee1068 |
comparison
equal
deleted
inserted
replaced
| 846:b298bb438625 | 847:f4bb964c8678 |
|---|---|
| 6 #define _OPTIONS_H_ | 6 #define _OPTIONS_H_ |
| 7 | 7 |
| 8 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" | 8 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" |
| 9 * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ | 9 * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ |
| 10 | 10 |
| 11 /* Important: Many options will require "make clean" after changes */ | 11 /* IMPORTANT: Many options will require "make clean" after changes */ |
| 12 | 12 |
| 13 #ifndef DROPBEAR_DEFPORT | 13 #ifndef DROPBEAR_DEFPORT |
| 14 #define DROPBEAR_DEFPORT "22" | 14 #define DROPBEAR_DEFPORT "22" |
| 15 #endif | 15 #endif |
| 16 | 16 |
| 127 /*#define DROPBEAR_SHA2_512_HMAC*/ | 127 /*#define DROPBEAR_SHA2_512_HMAC*/ |
| 128 #define DROPBEAR_MD5_HMAC | 128 #define DROPBEAR_MD5_HMAC |
| 129 | 129 |
| 130 /* You can also disable integrity. Don't bother disabling this if you're | 130 /* You can also disable integrity. Don't bother disabling this if you're |
| 131 * still using a cipher, it's relatively cheap. If you disable this it's dead | 131 * still using a cipher, it's relatively cheap. If you disable this it's dead |
| 132 * simple to run arbitrary commands on the remote host. Beware. */ | 132 * simple for an attacker to run arbitrary commands on the remote host. Beware. */ |
| 133 /* #define DROPBEAR_NONE_INTEGRITY */ | 133 /* #define DROPBEAR_NONE_INTEGRITY */ |
| 134 | 134 |
| 135 /* Hostkey/public key algorithms - at least one required, these are used | 135 /* Hostkey/public key algorithms - at least one required, these are used |
| 136 * for hostkey as well as for verifying signatures with pubkey auth. | 136 * for hostkey as well as for verifying signatures with pubkey auth. |
| 137 * Removing either of these won't save very much space. | 137 * Removing either of these won't save very much space. |
| 138 * SSH2 RFC Draft requires dss, recommends rsa */ | 138 * SSH2 RFC Draft requires dss, recommends rsa */ |
| 139 #define DROPBEAR_RSA | 139 #define DROPBEAR_RSA |
| 140 #define DROPBEAR_DSS | 140 #define DROPBEAR_DSS |
| 141 | |
| 142 #define DROPBEAR_ECDH | |
| 143 #define DROPBEAR_ECDSA | 141 #define DROPBEAR_ECDSA |
| 142 | |
| 143 /* Generate hostkeys as-needed when the first connection using that key type occurs. | |
| 144 This avoids the need to otherwise run "dropbearkey" and avoids some problems | |
| 145 with badly seeded random devices when systems first boot. | |
| 146 This also requires a runtime flag "-R". */ | |
| 147 #define DROPBEAR_DELAY_HOSTKEY | |
| 144 | 148 |
| 145 /* RSA can be vulnerable to timing attacks which use the time required for | 149 /* RSA can be vulnerable to timing attacks which use the time required for |
| 146 * signing to guess the private key. Blinding avoids this attack, though makes | 150 * signing to guess the private key. Blinding avoids this attack, though makes |
| 147 * signing operations slightly slower. */ | 151 * signing operations slightly slower. */ |
| 148 #define RSA_BLINDING | 152 #define RSA_BLINDING |
| 153 | |
| 154 /* Enable elliptic curve Diffie Hellman key exchange */ | |
| 155 #define DROPBEAR_ECDH | |
| 149 | 156 |
| 150 /* Control the memory/performance/compression tradeoff for zlib. | 157 /* Control the memory/performance/compression tradeoff for zlib. |
| 151 * Set windowBits=8 for least memory usage, see your system's | 158 * Set windowBits=8 for least memory usage, see your system's |
| 152 * zlib.h for full details. | 159 * zlib.h for full details. |
| 153 * Default settings (windowBits=15) will use 256kB for compression | 160 * Default settings (windowBits=15) will use 256kB for compression |
| 178 * It's useful for systems like OS X where standard password crypts don't work | 185 * It's useful for systems like OS X where standard password crypts don't work |
| 179 * but there's an interface via a PAM module. It won't work for more complex | 186 * but there's an interface via a PAM module. It won't work for more complex |
| 180 * PAM challenge/response. | 187 * PAM challenge/response. |
| 181 * You can't enable both PASSWORD and PAM. */ | 188 * You can't enable both PASSWORD and PAM. */ |
| 182 | 189 |
| 183 //#define ENABLE_SVR_PASSWORD_AUTH | 190 #define ENABLE_SVR_PASSWORD_AUTH |
| 184 /* PAM requires ./configure --enable-pam */ | 191 /* PAM requires ./configure --enable-pam */ |
| 185 #define ENABLE_SVR_PAM_AUTH | 192 /*#define ENABLE_SVR_PAM_AUTH */ |
| 186 #define ENABLE_SVR_PUBKEY_AUTH | 193 #define ENABLE_SVR_PUBKEY_AUTH |
| 187 | 194 |
| 188 /* Whether to take public key options in | 195 /* Whether to take public key options in |
| 189 * authorized_keys file into account */ | 196 * authorized_keys file into account */ |
| 190 #ifdef ENABLE_SVR_PUBKEY_AUTH | 197 #ifdef ENABLE_SVR_PUBKEY_AUTH |