# HG changeset patch # User Matt Johnston # Date 1518884957 -28800 # Node ID 6c16a05023aadd343b272769b742cefbc46225c4 # Parent c7675aa888809cb3adc3e62ec199c65809724d38 rename some options and move some to sysoptions.h diff -r c7675aa88880 -r 6c16a05023aa cli-auth.c --- a/cli-auth.c Sat Feb 17 12:16:18 2018 +0800 +++ b/cli-auth.c Sun Feb 18 00:29:17 2018 +0800 @@ -60,7 +60,7 @@ */ if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) { ses.authstate.authtypes = AUTH_TYPE_PUBKEY; -#if DROPBEAR_USE_DROPBEAR_PASSWORD +#if DROPBEAR_USE_PASSWORD_ENV if (getenv(DROPBEAR_PASSWORD_ENV)) { ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; } @@ -337,7 +337,7 @@ { char* password = NULL; -#if DROPBEAR_USE_DROPBEAR_PASSWORD +#if DROPBEAR_USE_PASSWORD_ENV /* Password provided in an environment var */ password = getenv(DROPBEAR_PASSWORD_ENV); if (password) diff -r c7675aa88880 -r 6c16a05023aa default_options.h --- a/default_options.h Sat Feb 17 12:16:18 2018 +0800 +++ b/default_options.h Sun Feb 18 00:29:17 2018 +0800 @@ -57,10 +57,11 @@ #define INETD_MODE 1 #endif -/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is - * perhaps 20% slower for pubkey operations (it is probably worth experimenting - * if you want to use this) */ -/*#define NO_FAST_EXPTMOD*/ +/* Include verbose debug output, enabled with -v at runtime. + * This will add a reasonable amount to your executable size. */ +#ifndef DEBUG_TRACE +#define DEBUG_TRACE 0 +#endif /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save several kB in binary size however will make the symmetrical ciphers and hashes @@ -101,7 +102,6 @@ #define DROPBEAR_CLI_AGENTFWD 1 #endif - /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to * allow multihop dbclient connections */ @@ -118,14 +118,15 @@ #endif /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ -#ifndef ENABLE_USER_ALGO_LIST -#define ENABLE_USER_ALGO_LIST 1 +#ifndef DROPBEAR_USER_ALGO_LIST +#define DROPBEAR_USER_ALGO_LIST 1 #endif /* Encryption - at least one required. - * Protocol RFC requires 3DES and recommends AES128 for interoperability. - * Including multiple keysize variants the same cipher - * (eg AES256 as well as AES128) will result in a minimal size increase.*/ + * AES128 should be enabled, some very old implementations might only + * support 3DES. + * Including both AES keysize variants (128 and 256) will result in + * a minimal size increase */ #ifndef DROPBEAR_AES128 #define DROPBEAR_AES128 1 #endif @@ -135,14 +136,16 @@ #ifndef DROPBEAR_AES256 #define DROPBEAR_AES256 1 #endif -/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ -/*#define DROPBEAR_BLOWFISH*/ #ifndef DROPBEAR_TWOFISH256 #define DROPBEAR_TWOFISH256 1 #endif #ifndef DROPBEAR_TWOFISH128 #define DROPBEAR_TWOFISH128 1 #endif +/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ +#ifndef DROPBEAR_BLOWFISH +#define DROPBEAR_BLOWFISH 0 +#endif /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ @@ -150,7 +153,7 @@ #define DROPBEAR_ENABLE_CBC_MODE 1 #endif -/* Enable "Counter Mode" for ciphers. This is more secure than normal +/* Enable "Counter Mode" for ciphers. This is more secure than * CBC mode against certain attacks. It is recommended for security * and forwards compatibility */ #ifndef DROPBEAR_ENABLE_CTR_MODE @@ -175,7 +178,7 @@ #ifndef DROPBEAR_SHA2_256_HMAC #define DROPBEAR_SHA2_256_HMAC 1 #endif -/* Default is to include it is sha512 is being compiled in for ECDSA */ +/* Default is to include it if sha512 is being compiled in for ECDSA */ #ifndef DROPBEAR_SHA2_512_HMAC #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA) #endif @@ -284,6 +287,9 @@ /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ +#ifndef DROPBEAR_SVR_PASSWORD_AUTH +#define DROPBEAR_SVR_PASSWORD_AUTH 1 +#endif /* Note: PAM auth is quite simple and only works for PAM modules which just do * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). @@ -291,21 +297,11 @@ * but there's an interface via a PAM module. It won't work for more complex * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ - -/* This requires crypt() */ -#ifdef HAVE_CRYPT -#ifndef DROPBEAR_SVR_PASSWORD_AUTH -#define DROPBEAR_SVR_PASSWORD_AUTH 1 -#endif -#else -#ifndef DROPBEAR_SVR_PASSWORD_AUTH -#define DROPBEAR_SVR_PASSWORD_AUTH 0 -#endif -#endif -/* PAM requires ./configure --enable-pam */ #ifndef DROPBEAR_SVR_PAM_AUTH #define DROPBEAR_SVR_PAM_AUTH 0 #endif + +/* ~/.ssh/authorized_keys authentication */ #ifndef DROPBEAR_SVR_PUBKEY_AUTH #define DROPBEAR_SVR_PUBKEY_AUTH 1 #endif @@ -316,15 +312,10 @@ #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 #endif -/* This requires getpass. */ -#ifdef HAVE_GETPASS +/* Client authentication options */ #ifndef DROPBEAR_CLI_PASSWORD_AUTH #define DROPBEAR_CLI_PASSWORD_AUTH 1 #endif -#ifndef DROPBEAR_CLI_INTERACT_AUTH -#define DROPBEAR_CLI_INTERACT_AUTH 1 -#endif -#endif #ifndef DROPBEAR_CLI_PUBKEY_AUTH #define DROPBEAR_CLI_PUBKEY_AUTH 1 #endif @@ -335,14 +326,10 @@ #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" #endif -/* This variable can be used to set a password for client - * authentication on the commandline. Beware of platforms - * that don't protect environment variables of processes etc. Also - * note that it will be provided for all "hidden" client-interactive - * style prompts - if you want something more sophisticated, use - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ -#ifndef DROPBEAR_PASSWORD_ENV -#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" +/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD + * environment variable. */ +#ifndef DROPBEAR_USE_PASSWORD_ENV +#define DROPBEAR_USE_PASSWORD_ENV 1 #endif /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of @@ -355,23 +342,17 @@ #endif /* Save a network roundtrip by sendng a real auth request immediately after - * sending a query for the available methods. It is at the expense of < 100 - * bytes of extra network traffic. This is not yet enabled by default since it - * could cause problems with non-compliant servers */ -#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH -#define DROPBEAR_CLI_IMMEDIATE_AUTH 0 -#endif + * sending a query for the available methods. This is not yet enabled by default + since it could cause problems with non-compliant servers */ + #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 -/* Source for randomness. This must be able to provide hundreds of bytes per SSH - * connection without blocking. In addition /dev/random is used for seeding - * rsa/dss key generation */ -#ifndef DROPBEAR_URANDOM_DEV -#define DROPBEAR_URANDOM_DEV "/dev/urandom" +/* Set this to use PRNGD or EGD instead of /dev/urandom */ +#ifndef DROPBEAR_USE_PRNGD +#define DROPBEAR_USE_PRNGD 0 #endif - -/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ -/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ - +#ifndef DROPBEAR_PRNGD_SOCKET +#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" +#endif /* Specify the number of clients we will allow to be connected but * not yet authenticated. After this limit, connections are rejected */ @@ -404,9 +385,13 @@ #define XAUTH_COMMAND "/usr/bin/xauth -q" #endif + /* if you want to enable running an sftp server (such as the one included with - * OpenSSH), set the path below. If the path isn't defined, sftp will not - * be enabled */ + * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. + * The sftp-server program is not provided by Dropbear itself */ +#ifndef DROPBEAR_SFTPSERVER +#define DROPBEAR_SFTPSERVER 1 +#endif #ifndef SFTPSERVER_PATH #define SFTPSERVER_PATH "/usr/libexec/sftp-server" #endif diff -r c7675aa88880 -r 6c16a05023aa default_options.h.in --- a/default_options.h.in Sat Feb 17 12:16:18 2018 +0800 +++ b/default_options.h.in Sun Feb 18 00:29:17 2018 +0800 @@ -36,9 +36,9 @@ #define NON_INETD_MODE 1 #define INETD_MODE 1 -#if !(NON_INETD_MODE || INETD_MODE) - #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." -#endif +/* Include verbose debug output, enabled with -v at runtime. + * This will add a reasonable amount to your executable size. */ +#define DEBUG_TRACE 0 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save several kB in binary size however will make the symmetrical ciphers and hashes @@ -63,7 +63,6 @@ #define DROPBEAR_SVR_AGENTFWD 1 #define DROPBEAR_CLI_AGENTFWD 1 - /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to * allow multihop dbclient connections */ @@ -79,9 +78,10 @@ #define DROPBEAR_USER_ALGO_LIST 1 /* Encryption - at least one required. - * Protocol RFC requires 3DES and recommends AES128 for interoperability. - * Including multiple keysize variants the same cipher - * (eg AES256 as well as AES128) will result in a minimal size increase.*/ + * AES128 should be enabled, some very old implementations might only + * support 3DES. + * Including both AES keysize variants (128 and 256) will result in + * a minimal size increase */ #define DROPBEAR_AES128 1 #define DROPBEAR_3DES 1 #define DROPBEAR_AES256 1 @@ -90,16 +90,11 @@ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ #define DROPBEAR_BLOWFISH 0 -#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ - || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) - #error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended." -#endif - /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ #define DROPBEAR_ENABLE_CBC_MODE 1 -/* Enable "Counter Mode" for ciphers. This is more secure than normal +/* Enable "Counter Mode" for ciphers. This is more secure than * CBC mode against certain attacks. It is recommended for security * and forwards compatibility */ #define DROPBEAR_ENABLE_CTR_MODE 1 @@ -114,7 +109,7 @@ #define DROPBEAR_SHA1_HMAC 1 #define DROPBEAR_SHA1_96_HMAC 1 #define DROPBEAR_SHA2_256_HMAC 1 -/* Default is to include it is sha512 is being compiled in for ECDSA */ +/* Default is to include it if sha512 is being compiled in for ECDSA */ #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA) /* XXX needed for fingerprints */ @@ -133,10 +128,6 @@ * on x86-64 */ #define DROPBEAR_ECDSA 1 -#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) - #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." -#endif - /* RSA must be >=1024 */ #define DROPBEAR_DEFAULT_RSA_SIZE 2048 /* DSS is always 1024 */ @@ -193,6 +184,7 @@ /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ +#define DROPBEAR_SVR_PASSWORD_AUTH 1 /* Note: PAM auth is quite simple and only works for PAM modules which just do * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). @@ -200,69 +192,26 @@ * but there's an interface via a PAM module. It won't work for more complex * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ - -/* PAM requires ./configure --enable-pam */ -#if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH - #define DROPBEAR_SVR_PAM_AUTH 1 -#else - #define DROPBEAR_SVR_PAM_AUTH 0 -#endif - -/* This requires crypt() */ -#if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH - #define DROPBEAR_SVR_PASSWORD_AUTH 1 -#else - #define DROPBEAR_SVR_PASSWORD_AUTH 0 -#endif - -#define DROPBEAR_SVR_PUBKEY_AUTH 1 +#define DROPBEAR_SVR_PAM_AUTH 0 -#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) - #error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended." -#endif - -#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT - #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." -#endif - -#if DROPBEAR_SVR_PAM_AUTH - #if DISABLE_PAM - #error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed." - #endif - #if DROPBEAR_SVR_PASSWORD_AUTH - #error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH." - #endif -#endif +/* ~/.ssh/authorized_keys authentication */ +#define DROPBEAR_SVR_PUBKEY_AUTH 1 /* Whether to take public key options in * authorized_keys file into account */ #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 -/* This requires getpass. */ -#ifdef HAVE_GETPASS - #define DROPBEAR_CLI_PASSWORD_AUTH 1 - #define DROPBEAR_CLI_INTERACT_AUTH 1 -#else - #define DROPBEAR_CLI_PASSWORD_AUTH 0 - #define DROPBEAR_CLI_INTERACT_AUTH 0 -#endif +/* Client authentication options */ +#define DROPBEAR_CLI_PASSWORD_AUTH 1 #define DROPBEAR_CLI_PUBKEY_AUTH 1 -#if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH) - #error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended." -#endif - /* A default argument for dbclient -i . Homedir is prepended unless path begins with / */ #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" -/* This variable can be used to set a password for client - * authentication on the commandline. Beware of platforms - * that don't protect environment variables of processes etc. Also - * note that it will be provided for all "hidden" client-interactive - * style prompts - if you want something more sophisticated, use - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ -#define DROPBEAR_USE_DROPBEAR_PASSWORD 1 +/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD + * environment variable. */ +#define DROPBEAR_USE_PASSWORD_ENV 1 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of * a helper program for the ssh client. The helper program should be @@ -271,22 +220,12 @@ * return the password on standard output */ #define DROPBEAR_CLI_ASKPASS_HELPER 0 -#if DROPBEAR_CLI_ASKPASS_HELPER - #define DROPBEAR_CLI_PASSWORD_AUTH 1 -#endif +/* Save a network roundtrip by sendng a real auth request immediately after + * sending a query for the available methods. This is not yet enabled by default + since it could cause problems with non-compliant servers */ + #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 -/* Save a network roundtrip by sendng a real auth request immediately after - * sending a query for the available methods. It is at the expense of < 100 - * bytes of extra network traffic. This is not yet enabled by default since it - * could cause problems with non-compliant servers */ -#define DROPBEAR_CLI_IMMEDIATE_AUTH 0 - -/* Source for randomness. This must be able to provide hundreds of bytes per SSH - * connection without blocking. In addition /dev/random is used for seeding - * rsa/dss key generation */ -#define DROPBEAR_URANDOM_DEV "/dev/urandom" - -/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ +/* Set this to use PRNGD or EGD instead of /dev/urandom */ #define DROPBEAR_USE_PRNGD 0 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" @@ -311,11 +250,11 @@ * "-q" for quiet */ #define XAUTH_COMMAND "/usr/bin/xauth -q" -#define DROPBEAR_SFTPSERVER 1 /* if you want to enable running an sftp server (such as the one included with - * OpenSSH), set the path below. If the path isn't defined, sftp will not - * be enabled */ + * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. + * The sftp-server program is not provided by Dropbear itself */ +#define DROPBEAR_SFTPSERVER 1 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" /* This is used by the scp binary when used as a client binary. If you're @@ -358,8 +297,4 @@ /* The default path. This will often get replaced by the shell */ #define DEFAULT_PATH "/usr/bin:/bin" -/* Include verbose debug output, enabled with -v at runtime. - * This will add a reasonable amount to your executable size. */ -#define DEBUG_TRACE 0 - #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ diff -r c7675aa88880 -r 6c16a05023aa sysoptions.h --- a/sysoptions.h Sat Feb 17 12:16:18 2018 +0800 +++ b/sysoptions.h Sun Feb 18 00:29:17 2018 +0800 @@ -23,7 +23,11 @@ #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ #endif - #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) +#define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) + +#if !(NON_INETD_MODE || INETD_MODE) + #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." +#endif /* A client should try and send an initial key exchange packet guessing * the algorithm that will match - saves a round trip connecting, has little @@ -205,6 +209,39 @@ #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" #endif +/* PAM requires ./configure --enable-pam */ +#if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH +#error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?" +#endif + +#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT + #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." +#endif + +#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) + #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." +#endif + + +#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ + || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) + #error "At least one encryption algorithm must be enabled. AES128 is recommended." +#endif + +#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) + #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." +#endif + +/* Source for randomness. This must be able to provide hundreds of bytes per SSH + * connection without blocking. */ +#ifndef DROPBEAR_URANDOM_DEV +#define DROPBEAR_URANDOM_DEV "/dev/urandom" +#endif + +/* client keyboard interactive authentication is often used for password auth. + rfc4256 */ +#define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH) + /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant * code, if we're just compiling as client or server */ #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)