diff options.h @ 847:f4bb964c8678 keyondemand

Add '-R' for delayed hostkey option
author Matt Johnston <matt@ucc.asn.au>
date Thu, 07 Nov 2013 23:49:37 +0800
parents b298bb438625
children 754d7bee1068
line wrap: on
line diff
--- a/options.h	Thu Nov 07 00:18:52 2013 +0800
+++ b/options.h	Thu Nov 07 23:49:37 2013 +0800
@@ -8,7 +8,7 @@
 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
  * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
 
-/* Important: Many options will require "make clean" after changes */
+/* IMPORTANT: Many options will require "make clean" after changes */
 
 #ifndef DROPBEAR_DEFPORT
 #define DROPBEAR_DEFPORT "22"
@@ -129,7 +129,7 @@
 
 /* You can also disable integrity. Don't bother disabling this if you're
  * still using a cipher, it's relatively cheap. If you disable this it's dead
- * simple to run arbitrary commands on the remote host. Beware. */
+ * simple for an attacker to run arbitrary commands on the remote host. Beware. */
 /* #define DROPBEAR_NONE_INTEGRITY */
 
 /* Hostkey/public key algorithms - at least one required, these are used
@@ -138,15 +138,22 @@
  * SSH2 RFC Draft requires dss, recommends rsa */
 #define DROPBEAR_RSA
 #define DROPBEAR_DSS
+#define DROPBEAR_ECDSA
 
-#define DROPBEAR_ECDH
-#define DROPBEAR_ECDSA
+/* Generate hostkeys as-needed when the first connection using that key type occurs.
+   This avoids the need to otherwise run "dropbearkey" and avoids some problems
+   with badly seeded random devices when systems first boot.
+   This also requires a runtime flag "-R". */
+#define DROPBEAR_DELAY_HOSTKEY
 
 /* RSA can be vulnerable to timing attacks which use the time required for
  * signing to guess the private key. Blinding avoids this attack, though makes
  * signing operations slightly slower. */
 #define RSA_BLINDING
 
+/* Enable elliptic curve Diffie Hellman key exchange */
+#define DROPBEAR_ECDH
+
 /* Control the memory/performance/compression tradeoff for zlib.
  * Set windowBits=8 for least memory usage, see your system's
  * zlib.h for full details.
@@ -180,9 +187,9 @@
  * PAM challenge/response.
  * You can't enable both PASSWORD and PAM. */
 
-//#define ENABLE_SVR_PASSWORD_AUTH
+#define ENABLE_SVR_PASSWORD_AUTH
 /* PAM requires ./configure --enable-pam */
-#define ENABLE_SVR_PAM_AUTH
+/*#define ENABLE_SVR_PAM_AUTH */
 #define ENABLE_SVR_PUBKEY_AUTH
 
 /* Whether to take public key options in