Mercurial > dropbear
diff options.h @ 847:f4bb964c8678 keyondemand
Add '-R' for delayed hostkey option
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 07 Nov 2013 23:49:37 +0800 |
parents | b298bb438625 |
children | 754d7bee1068 |
line wrap: on
line diff
--- a/options.h Thu Nov 07 00:18:52 2013 +0800 +++ b/options.h Thu Nov 07 23:49:37 2013 +0800 @@ -8,7 +8,7 @@ /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ -/* Important: Many options will require "make clean" after changes */ +/* IMPORTANT: Many options will require "make clean" after changes */ #ifndef DROPBEAR_DEFPORT #define DROPBEAR_DEFPORT "22" @@ -129,7 +129,7 @@ /* You can also disable integrity. Don't bother disabling this if you're * still using a cipher, it's relatively cheap. If you disable this it's dead - * simple to run arbitrary commands on the remote host. Beware. */ + * simple for an attacker to run arbitrary commands on the remote host. Beware. */ /* #define DROPBEAR_NONE_INTEGRITY */ /* Hostkey/public key algorithms - at least one required, these are used @@ -138,15 +138,22 @@ * SSH2 RFC Draft requires dss, recommends rsa */ #define DROPBEAR_RSA #define DROPBEAR_DSS +#define DROPBEAR_ECDSA -#define DROPBEAR_ECDH -#define DROPBEAR_ECDSA +/* Generate hostkeys as-needed when the first connection using that key type occurs. + This avoids the need to otherwise run "dropbearkey" and avoids some problems + with badly seeded random devices when systems first boot. + This also requires a runtime flag "-R". */ +#define DROPBEAR_DELAY_HOSTKEY /* RSA can be vulnerable to timing attacks which use the time required for * signing to guess the private key. Blinding avoids this attack, though makes * signing operations slightly slower. */ #define RSA_BLINDING +/* Enable elliptic curve Diffie Hellman key exchange */ +#define DROPBEAR_ECDH + /* Control the memory/performance/compression tradeoff for zlib. * Set windowBits=8 for least memory usage, see your system's * zlib.h for full details. @@ -180,9 +187,9 @@ * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ -//#define ENABLE_SVR_PASSWORD_AUTH +#define ENABLE_SVR_PASSWORD_AUTH /* PAM requires ./configure --enable-pam */ -#define ENABLE_SVR_PAM_AUTH +/*#define ENABLE_SVR_PAM_AUTH */ #define ENABLE_SVR_PUBKEY_AUTH /* Whether to take public key options in