diff default_options.h.in @ 1514:6c16a05023aa

rename some options and move some to sysoptions.h
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Feb 2018 00:29:17 +0800
parents 2d450c1056e3
children 7c7c5326ad73
line wrap: on
line diff
--- a/default_options.h.in	Sat Feb 17 12:16:18 2018 +0800
+++ b/default_options.h.in	Sun Feb 18 00:29:17 2018 +0800
@@ -36,9 +36,9 @@
 #define NON_INETD_MODE 1
 #define INETD_MODE 1
 
-#if !(NON_INETD_MODE || INETD_MODE)
-	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
-#endif
+/* Include verbose debug output, enabled with -v at runtime. 
+ * This will add a reasonable amount to your executable size. */
+#define DEBUG_TRACE 0
 
 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
 several kB in binary size however will make the symmetrical ciphers and hashes
@@ -63,7 +63,6 @@
 #define DROPBEAR_SVR_AGENTFWD 1
 #define DROPBEAR_CLI_AGENTFWD 1
 
-
 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
  * allow multihop dbclient connections */
 
@@ -79,9 +78,10 @@
 #define DROPBEAR_USER_ALGO_LIST 1
 
 /* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
- * Including multiple keysize variants the same cipher 
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ * AES128 should be enabled, some very old implementations might only
+ * support 3DES.
+ * Including both AES keysize variants (128 and 256) will result in 
+ * a minimal size increase */
 #define DROPBEAR_AES128 1
 #define DROPBEAR_3DES 1
 #define DROPBEAR_AES256 1
@@ -90,16 +90,11 @@
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
 #define DROPBEAR_BLOWFISH 0
 
-#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
-      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
-	#error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
-#endif
-
 /* Enable CBC mode for ciphers. This has security issues though
  * is the most compatible with older SSH implementations */
 #define DROPBEAR_ENABLE_CBC_MODE 1
 
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
+/* Enable "Counter Mode" for ciphers. This is more secure than
  * CBC mode against certain attacks. It is recommended for security
  * and forwards compatibility */
 #define DROPBEAR_ENABLE_CTR_MODE 1
@@ -114,7 +109,7 @@
 #define DROPBEAR_SHA1_HMAC 1
 #define DROPBEAR_SHA1_96_HMAC 1
 #define DROPBEAR_SHA2_256_HMAC 1
-/* Default is to include it is sha512 is being compiled in for ECDSA */
+/* Default is to include it if sha512 is being compiled in for ECDSA */
 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
 
 /* XXX needed for fingerprints */
@@ -133,10 +128,6 @@
  * on x86-64 */
 #define DROPBEAR_ECDSA 1
 
-#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
-	#error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
-#endif
-
 /* RSA must be >=1024 */
 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
 /* DSS is always 1024 */
@@ -193,6 +184,7 @@
 
 /* Authentication Types - at least one required.
    RFC Draft requires pubkey auth, and recommends password */
+#define DROPBEAR_SVR_PASSWORD_AUTH 1
 
 /* Note: PAM auth is quite simple and only works for PAM modules which just do
  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@@ -200,69 +192,26 @@
  * but there's an interface via a PAM module. It won't work for more complex
  * PAM challenge/response.
  * You can't enable both PASSWORD and PAM. */
-
-/* PAM requires ./configure --enable-pam */
-#if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH
-	#define DROPBEAR_SVR_PAM_AUTH 1
-#else
-	#define DROPBEAR_SVR_PAM_AUTH 0
-#endif
-
-/* This requires crypt() */
-#if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
-	#define DROPBEAR_SVR_PASSWORD_AUTH 1
-#else
-	#define DROPBEAR_SVR_PASSWORD_AUTH 0
-#endif
-
-#define DROPBEAR_SVR_PUBKEY_AUTH 1
+#define DROPBEAR_SVR_PAM_AUTH 0
 
-#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
-	#error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
-#endif
-
-#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
-	#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
-#endif
-
-#if DROPBEAR_SVR_PAM_AUTH
-	#if DISABLE_PAM
-		#error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
-	#endif
-	#if DROPBEAR_SVR_PASSWORD_AUTH
-		#error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
-	#endif
-#endif
+/* ~/.ssh/authorized_keys authentication */
+#define DROPBEAR_SVR_PUBKEY_AUTH 1
 
 /* Whether to take public key options in 
  * authorized_keys file into account */
 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
 
-/* This requires getpass. */
-#ifdef HAVE_GETPASS
-	#define DROPBEAR_CLI_PASSWORD_AUTH 1
-	#define DROPBEAR_CLI_INTERACT_AUTH 1
-#else
-	#define DROPBEAR_CLI_PASSWORD_AUTH 0
-	#define DROPBEAR_CLI_INTERACT_AUTH 0
-#endif
+/* Client authentication options */
+#define DROPBEAR_CLI_PASSWORD_AUTH 1
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 
-#if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
-	#error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
-#endif
-
 /* A default argument for dbclient -i <privatekey>. 
 Homedir is prepended unless path begins with / */
 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
 
-/* This variable can be used to set a password for client
- * authentication on the commandline. Beware of platforms
- * that don't protect environment variables of processes etc. Also
- * note that it will be provided for all "hidden" client-interactive
- * style prompts - if you want something more sophisticated, use 
- * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#define DROPBEAR_USE_DROPBEAR_PASSWORD 1
+/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
+ * environment variable. */
+#define DROPBEAR_USE_PASSWORD_ENV 1
 
 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
  * a helper program for the ssh client. The helper program should be
@@ -271,22 +220,12 @@
  * return the password on standard output */
 #define DROPBEAR_CLI_ASKPASS_HELPER 0
 
-#if DROPBEAR_CLI_ASKPASS_HELPER
-	#define DROPBEAR_CLI_PASSWORD_AUTH 1
-#endif
+/* Save a network roundtrip by sendng a real auth request immediately after
+ * sending a query for the available methods. This is not yet enabled by default 
+ since it could cause problems with non-compliant servers */ 
+ #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
 
-/* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods.  It is at the expense of < 100
- * bytes of extra network traffic. This is not yet enabled by default since it
- * could cause problems with non-compliant servers */
-#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
-
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
- * connection without blocking. In addition /dev/random is used for seeding
- * rsa/dss key generation */
-#define DROPBEAR_URANDOM_DEV "/dev/urandom"
-
-/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
+/* Set this to use PRNGD or EGD instead of /dev/urandom */
 #define DROPBEAR_USE_PRNGD 0
 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
 
@@ -311,11 +250,11 @@
  * "-q" for quiet */
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 
-#define DROPBEAR_SFTPSERVER 1
 
 /* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
- * be enabled */
+ * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
+ * The sftp-server program is not provided by Dropbear itself */
+#define DROPBEAR_SFTPSERVER 1
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
 
 /* This is used by the scp binary when used as a client binary. If you're
@@ -358,8 +297,4 @@
 /* The default path. This will often get replaced by the shell */
 #define DEFAULT_PATH "/usr/bin:/bin"
 
-/* Include verbose debug output, enabled with -v at runtime. 
- * This will add a reasonable amount to your executable size. */
-#define DEBUG_TRACE 0
-
 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */