Mercurial > dropbear
diff sysoptions.h @ 1861:2b3a8026a6ce
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 30 Jan 2022 10:14:56 +0800 |
parents | 35d504d59c05 |
children | 6f265a35159a |
line wrap: on
line diff
--- a/sysoptions.h Thu Jan 27 15:09:29 2022 +0800 +++ b/sysoptions.h Sun Jan 30 10:14:56 2022 +0800 @@ -29,6 +29,9 @@ #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." #endif +/* Would probably work on freebsd but hasn't been tested */ +#define DROPBEAR_DO_REEXEC (defined(HAVE_FEXECVE) && DROPBEAR_REEXEC && defined(__linux__)) + /* A client should try and send an initial key exchange packet guessing * the algorithm that will match - saves a round trip connecting, has little * overhead if the guess was "wrong". */