diff default_options.h @ 1514:6c16a05023aa

rename some options and move some to sysoptions.h
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Feb 2018 00:29:17 +0800
parents 1ea92dd2ca5f
children 2f4d52b1334e
line wrap: on
line diff
--- a/default_options.h	Sat Feb 17 12:16:18 2018 +0800
+++ b/default_options.h	Sun Feb 18 00:29:17 2018 +0800
@@ -57,10 +57,11 @@
 #define INETD_MODE 1
 #endif
 
-/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
- * if you want to use this) */
-/*#define NO_FAST_EXPTMOD*/
+/* Include verbose debug output, enabled with -v at runtime. 
+ * This will add a reasonable amount to your executable size. */
+#ifndef DEBUG_TRACE
+#define DEBUG_TRACE 0
+#endif
 
 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
 several kB in binary size however will make the symmetrical ciphers and hashes
@@ -101,7 +102,6 @@
 #define DROPBEAR_CLI_AGENTFWD 1
 #endif
 
-
 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
  * allow multihop dbclient connections */
 
@@ -118,14 +118,15 @@
 #endif
 
 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
-#ifndef ENABLE_USER_ALGO_LIST
-#define ENABLE_USER_ALGO_LIST 1
+#ifndef DROPBEAR_USER_ALGO_LIST
+#define DROPBEAR_USER_ALGO_LIST 1
 #endif
 
 /* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
- * Including multiple keysize variants the same cipher 
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ * AES128 should be enabled, some very old implementations might only
+ * support 3DES.
+ * Including both AES keysize variants (128 and 256) will result in 
+ * a minimal size increase */
 #ifndef DROPBEAR_AES128
 #define DROPBEAR_AES128 1
 #endif
@@ -135,14 +136,16 @@
 #ifndef DROPBEAR_AES256
 #define DROPBEAR_AES256 1
 #endif
-/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
-/*#define DROPBEAR_BLOWFISH*/
 #ifndef DROPBEAR_TWOFISH256
 #define DROPBEAR_TWOFISH256 1
 #endif
 #ifndef DROPBEAR_TWOFISH128
 #define DROPBEAR_TWOFISH128 1
 #endif
+/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+#ifndef DROPBEAR_BLOWFISH
+#define DROPBEAR_BLOWFISH 0
+#endif
 
 /* Enable CBC mode for ciphers. This has security issues though
  * is the most compatible with older SSH implementations */
@@ -150,7 +153,7 @@
 #define DROPBEAR_ENABLE_CBC_MODE 1
 #endif
 
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
+/* Enable "Counter Mode" for ciphers. This is more secure than
  * CBC mode against certain attacks. It is recommended for security
  * and forwards compatibility */
 #ifndef DROPBEAR_ENABLE_CTR_MODE
@@ -175,7 +178,7 @@
 #ifndef DROPBEAR_SHA2_256_HMAC
 #define DROPBEAR_SHA2_256_HMAC 1
 #endif
-/* Default is to include it is sha512 is being compiled in for ECDSA */
+/* Default is to include it if sha512 is being compiled in for ECDSA */
 #ifndef DROPBEAR_SHA2_512_HMAC
 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
 #endif
@@ -284,6 +287,9 @@
 
 /* Authentication Types - at least one required.
    RFC Draft requires pubkey auth, and recommends password */
+#ifndef DROPBEAR_SVR_PASSWORD_AUTH
+#define DROPBEAR_SVR_PASSWORD_AUTH 1
+#endif
 
 /* Note: PAM auth is quite simple and only works for PAM modules which just do
  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@@ -291,21 +297,11 @@
  * but there's an interface via a PAM module. It won't work for more complex
  * PAM challenge/response.
  * You can't enable both PASSWORD and PAM. */
-
-/* This requires crypt() */
-#ifdef HAVE_CRYPT
-#ifndef DROPBEAR_SVR_PASSWORD_AUTH
-#define DROPBEAR_SVR_PASSWORD_AUTH 1
-#endif
-#else
-#ifndef DROPBEAR_SVR_PASSWORD_AUTH
-#define DROPBEAR_SVR_PASSWORD_AUTH 0
-#endif
-#endif
-/* PAM requires ./configure --enable-pam */
 #ifndef DROPBEAR_SVR_PAM_AUTH
 #define DROPBEAR_SVR_PAM_AUTH 0
 #endif
+
+/* ~/.ssh/authorized_keys authentication */
 #ifndef DROPBEAR_SVR_PUBKEY_AUTH
 #define DROPBEAR_SVR_PUBKEY_AUTH 1
 #endif
@@ -316,15 +312,10 @@
 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
 #endif
 
-/* This requires getpass. */
-#ifdef HAVE_GETPASS
+/* Client authentication options */
 #ifndef DROPBEAR_CLI_PASSWORD_AUTH
 #define DROPBEAR_CLI_PASSWORD_AUTH 1
 #endif
-#ifndef DROPBEAR_CLI_INTERACT_AUTH
-#define DROPBEAR_CLI_INTERACT_AUTH 1
-#endif
-#endif
 #ifndef DROPBEAR_CLI_PUBKEY_AUTH
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 #endif
@@ -335,14 +326,10 @@
 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
 #endif
 
-/* This variable can be used to set a password for client
- * authentication on the commandline. Beware of platforms
- * that don't protect environment variables of processes etc. Also
- * note that it will be provided for all "hidden" client-interactive
- * style prompts - if you want something more sophisticated, use 
- * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#ifndef DROPBEAR_PASSWORD_ENV
-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
+/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
+ * environment variable. */
+#ifndef DROPBEAR_USE_PASSWORD_ENV
+#define DROPBEAR_USE_PASSWORD_ENV 1
 #endif
 
 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
@@ -355,23 +342,17 @@
 #endif
 
 /* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods.  It is at the expense of < 100
- * bytes of extra network traffic. This is not yet enabled by default since it
- * could cause problems with non-compliant servers */
-#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH
-#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
-#endif
+ * sending a query for the available methods. This is not yet enabled by default 
+ since it could cause problems with non-compliant servers */ 
+ #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
 
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
- * connection without blocking. In addition /dev/random is used for seeding
- * rsa/dss key generation */
-#ifndef DROPBEAR_URANDOM_DEV
-#define DROPBEAR_URANDOM_DEV "/dev/urandom"
+/* Set this to use PRNGD or EGD instead of /dev/urandom */
+#ifndef DROPBEAR_USE_PRNGD
+#define DROPBEAR_USE_PRNGD 0
 #endif
-
-/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
-/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
-
+#ifndef DROPBEAR_PRNGD_SOCKET
+#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
+#endif
 
 /* Specify the number of clients we will allow to be connected but
  * not yet authenticated. After this limit, connections are rejected */
@@ -404,9 +385,13 @@
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 #endif
 
+
 /* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
- * be enabled */
+ * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
+ * The sftp-server program is not provided by Dropbear itself */
+#ifndef DROPBEAR_SFTPSERVER
+#define DROPBEAR_SFTPSERVER 1
+#endif
 #ifndef SFTPSERVER_PATH
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
 #endif