1 /* Dropbear SSH 2 * Copyright (c) 2002,2003 Matt Johnston 3 * All rights reserved. See LICENSE for the license. */ 4 5 #ifndef _OPTIONS_H_ 6 #define _OPTIONS_H_ 7 8 /****************************************************************** 9 * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" 10 * parts are to allow for commandline -DDROPBEAR_XXX options etc. 11 ******************************************************************/ 12 13 #ifndef DROPBEAR_DEFPORT 14 #define DROPBEAR_DEFPORT "22" 15 #endif 16 17 #ifndef DROPBEAR_DEFADDRESS 18 /* Listen on all interfaces */ 19 #define DROPBEAR_DEFADDRESS "" 20 #endif 21 22 /* Default hostkey paths - these can be specified on the command line */ 23 #ifndef DSS_PRIV_FILENAME 24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" 25 #endif 26 #ifndef RSA_PRIV_FILENAME 27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" 28 #endif 29 30 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens 31 * on chosen ports and keeps accepting connections. This is the default. 32 * 33 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or 34 * similar), where it will use stdin/stdout for connections, and each process 35 * lasts for a single connection. Dropbear should be invoked with the -i flag 36 * for inetd, and can only accept IPv4 connections. 37 * 38 * Both of these flags can be defined at once, don't compile without at least 39 * one of them. */ 40 #define NON_INETD_MODE 41 #define INETD_MODE 42 43 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 44 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 45 * if you want to use this) */ 46 /*#define NO_FAST_EXPTMOD*/ 47 48 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 49 several kB in binary size, however will make the symmetrical ciphers (AES, DES 50 etc) slower (perhaps by 50%). Recommended for most small systems. */ 51 #define DROPBEAR_SMALL_CODE 52 53 /* Enable X11 Forwarding - server only */ 54 #define ENABLE_X11FWD 55 56 /* Enable TCP Fowarding */ 57 /* 'Local' is "-L" style (client listening port forwarded via server) 58 * 'Remote' is "-R" style (server listening port forwarded via client) */ 59 60 #define ENABLE_CLI_LOCALTCPFWD 61 #define ENABLE_CLI_REMOTETCPFWD 62 63 #define ENABLE_SVR_LOCALTCPFWD 64 #define ENABLE_SVR_REMOTETCPFWD 65 66 /* Enable Authentication Agent Forwarding - server only for now */ 67 #define ENABLE_AGENTFWD 68 69 /* Encryption - at least one required. 70 * RFC Draft requires 3DES and recommends AES128 for interoperability. 71 * Including multiple keysize variants the same cipher 72 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 73 #define DROPBEAR_AES128_CBC 74 #define DROPBEAR_3DES_CBC 75 //#define DROPBEAR_AES256_CBC 76 //#define DROPBEAR_BLOWFISH_CBC 77 //#define DROPBEAR_TWOFISH256_CBC 78 //#define DROPBEAR_TWOFISH128_CBC 79 80 /* Message Integrity - at least one required. 81 * RFC Draft requires sha1 and recommends sha1-96. 82 * sha1-96 may be of use for slow links, as it has a smaller overhead. 83 * 84 * Note: there's no point disabling sha1 to save space, since it's used 85 * for the random number generator and public-key cryptography anyway. 86 * Disabling it here will just stop it from being used as the integrity portion 87 * of the ssh protocol. 88 * 89 * These hashes are also used for public key fingerprints in logs. 90 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, 91 * which are not the standard form. */ 92 #define DROPBEAR_SHA1_HMAC 93 #define DROPBEAR_SHA1_96_HMAC 94 #define DROPBEAR_MD5_HMAC 95 96 /* Hostkey/public key algorithms - at least one required, these are used 97 * for hostkey as well as for verifying signatures with pubkey auth. 98 * Removing either of these won't save very much space. 99 * SSH2 RFC Draft requires dss, recommends rsa */ 100 #define DROPBEAR_RSA 101 #define DROPBEAR_DSS 102 103 /* RSA can be vulnerable to timing attacks which use the time required for 104 * signing to guess the private key. Blinding avoids this attack, though makes 105 * signing operations slightly slower. */ 106 #define RSA_BLINDING 107 108 /* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss, 109 * rather than just from the random byte source. Undefining this will save you 110 * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed 111 * if the random number source isn't good. In general this isn't required */ 112 /* #define DSS_PROTOK */ 113 114 /* Whether to do reverse DNS lookups. */ 115 #define DO_HOST_LOOKUP 116 117 /* Whether to print the message of the day (MOTD). This doesn't add much code 118 * size */ 119 #define DO_MOTD 120 121 /* The MOTD file path */ 122 #ifndef MOTD_FILENAME 123 #define MOTD_FILENAME "/etc/motd" 124 #endif 125 126 /* Authentication Types - at least one required. 127 RFC Draft requires pubkey auth, and recommends password */ 128 129 /* Note: PAM auth is quite simple, and only works for PAM modules which just do 130 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 131 * It's useful for systems like OS X where standard password crypts don't work, 132 * but there's an interface via a PAM module - don't bother using it otherwise. 133 * You can't enable both PASSWORD and PAM. */ 134 135 #define ENABLE_SVR_PASSWORD_AUTH 136 /*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */ 137 #define ENABLE_SVR_PUBKEY_AUTH 138 139 #define ENABLE_CLI_PASSWORD_AUTH 140 #define ENABLE_CLI_PUBKEY_AUTH 141 #define ENABLE_CLI_INTERACT_AUTH 142 143 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of 144 * a helper program for the ssh client. The helper program should be 145 * specified in the SSH_ASKPASS environment variable, and dbclient 146 * should be run with DISPLAY set and no tty. The program should 147 * return the password on standard output */ 148 /*#define ENABLE_CLI_ASKPASS_HELPER*/ 149 150 /* Random device to use - define either DROPBEAR_RANDOM_DEV or 151 * DROPBEAR_PRNGD_SOCKET. 152 * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random, 153 * otherwise use run prngd (or egd if you want), specifying the socket. 154 * The device will be queried for a few dozen bytes of seed a couple of times 155 * per session (or more for very long-lived sessions). */ 156 157 /* If you are lacking entropy on the system then using /dev/urandom 158 * will prevent Dropbear from blocking on the device. This could 159 * however significantly reduce the security of your ssh connections 160 * if the PRNG state becomes guessable - make sure you know what you are 161 * doing if you change this. */ 162 #define DROPBEAR_RANDOM_DEV "/dev/random" 163 164 /* prngd must be manually set up to produce output */ 165 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ 166 167 /* Specify the number of clients we will allow to be connected but 168 * not yet authenticated. After this limit, connections are rejected */ 169 /* The first setting is per-IP, to avoid denial of service */ 170 #ifndef MAX_UNAUTH_PER_IP 171 #define MAX_UNAUTH_PER_IP 5 172 #endif 173 174 /* And then a global limit to avoid chewing memory if connections 175 * come from many IPs */ 176 #ifndef MAX_UNAUTH_CLIENTS 177 #define MAX_UNAUTH_CLIENTS 30 178 #endif 179 180 /* Maximum number of failed authentication tries (server option) */ 181 #ifndef MAX_AUTH_TRIES 182 #define MAX_AUTH_TRIES 10 183 #endif 184 185 /* The default file to store the daemon's process ID, for shutdown 186 scripts etc. This can be overridden with the -P flag */ 187 #ifndef DROPBEAR_PIDFILE 188 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" 189 #endif 190 191 /* The command to invoke for xauth when using X11 forwarding. 192 * "-q" for quiet */ 193 #ifndef XAUTH_COMMAND 194 #define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" 195 #endif 196 197 /* if you want to enable running an sftp server (such as the one included with 198 * OpenSSH), set the path below. If the path isn't defined, sftp will not 199 * be enabled */ 200 #ifndef SFTPSERVER_PATH 201 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" 202 #endif 203 204 /* This is used by the scp binary when used as a client binary. If you're 205 * not using the Dropbear client, you'll need to change it */ 206 #define _PATH_SSH_PROGRAM "/system/bin/ssh" 207 208 /* Whether to log commands executed by a client. This only logs the 209 * (single) command sent to the server, not what a user did in a 210 * shell/sftp session etc. */ 211 /* #define LOG_COMMANDS */ 212 213 /******************************************************************* 214 * You shouldn't edit below here unless you know you need to. 215 *******************************************************************/ 216 217 #ifndef DROPBEAR_VERSION 218 #define DROPBEAR_VERSION "0.49" 219 #endif 220 221 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION 222 #define PROGNAME "dropbear" 223 224 /* Spec recommends after one hour or 1 gigabyte of data. One hour 225 * is a bit too verbose, so we try 8 hours */ 226 #ifndef KEX_REKEY_TIMEOUT 227 #define KEX_REKEY_TIMEOUT (3600 * 8) 228 #endif 229 #ifndef KEX_REKEY_DATA 230 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */ 231 #endif 232 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ 233 #ifndef AUTH_TIMEOUT 234 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ 235 #endif 236 237 /* Minimum key sizes for DSS and RSA */ 238 #ifndef MIN_DSS_KEYLEN 239 #define MIN_DSS_KEYLEN 512 240 #endif 241 #ifndef MIN_RSA_KEYLEN 242 #define MIN_RSA_KEYLEN 512 243 #endif 244 245 #define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */ 246 #define MAX_BANNER_LINES 20 /* How many lines the client will display */ 247 248 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have 249 * the clearenv() function */ 250 #define ENV_SIZE 100 251 252 #define MAX_CMD_LEN 1024 /* max length of a command */ 253 #define MAX_TERM_LEN 200 /* max length of TERM name */ 254 255 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */ 256 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */ 257 258 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified, 259 ipv4 and ipv6 don't count twice */ 260 261 /* Each port might have at least a v4 and a v6 address */ 262 #define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3) 263 264 #define _PATH_TTY "/dev/tty" 265 266 #define _PATH_CP "/bin/cp" 267 268 /* Timeouts in seconds */ 269 #define SELECT_TIMEOUT 20 270 271 /* success/failure defines */ 272 #define DROPBEAR_SUCCESS 0 273 #define DROPBEAR_FAILURE -1 274 275 /* various algorithm identifiers */ 276 #define DROPBEAR_KEX_DH_GROUP1 0 277 278 #define DROPBEAR_SIGNKEY_ANY 0 279 #define DROPBEAR_SIGNKEY_RSA 1 280 #define DROPBEAR_SIGNKEY_DSS 2 281 #define DROPBEAR_SIGNKEY_NONE 3 282 283 #define DROPBEAR_COMP_NONE 0 284 #define DROPBEAR_COMP_ZLIB 1 285 286 /* Required for pubkey auth */ 287 #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) 288 #define DROPBEAR_SIGNKEY_VERIFY 289 #endif 290 291 /* SHA1 is 20 bytes == 160 bits */ 292 #define SHA1_HASH_SIZE 20 293 /* SHA512 is 64 bytes == 512 bits */ 294 #define SHA512_HASH_SIZE 64 295 /* MD5 is 16 bytes = 128 bits */ 296 #define MD5_HASH_SIZE 16 297 298 /* largest of MD5 and SHA1 */ 299 #define MAX_MAC_LEN SHA1_HASH_SIZE 300 301 302 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ 303 #define MAX_IV_LEN 20 /* must be same as max blocksize, 304 and >= SHA1_HASH_SIZE */ 305 #define MAX_MAC_KEY 20 306 307 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't 308 explicitly specified for all protocols (just 309 for algos) but seems valid */ 310 311 #define MAX_PROPOSED_ALGO 20 312 313 /* size/count limits */ 314 315 #define MAX_PACKET_LEN 35000 316 #define MIN_PACKET_LEN 16 317 #define MAX_PAYLOAD_LEN 32768 318 319 #define MAX_TRANS_PAYLOAD_LEN 32768 320 #define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50) 321 322 #define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */ 323 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */ 324 325 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also 326 is the max length for a password etc */ 327 328 /* For a 4096 bit DSS key, empirically determined */ 329 #define MAX_PUBKEY_SIZE 1700 330 /* For a 4096 bit DSS key, empirically determined */ 331 #define MAX_PRIVKEY_SIZE 1700 332 333 /* The maximum size of the bignum portion of the kexhash buffer */ 334 /* Sect. 8 of the transport draft, K_S + e + f + K */ 335 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) 336 337 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit 338 in a few years time.... */ 339 340 #define DROPBEAR_MAX_CLI_PASS 1024 341 342 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll 343 accept for keyb-interactive 344 auth */ 345 346 #if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC) 347 #define DROPBEAR_AES_CBC 348 #endif 349 350 #if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC) 351 #define DROPBEAR_TWOFISH_CBC 352 #endif 353 354 #ifndef ENABLE_X11FWD 355 #define DISABLE_X11FWD 356 #endif 357 358 #ifndef ENABLE_AGENTFWD 359 #define DISABLE_AGENTFWD 360 #endif 361 362 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) 363 #define ENABLE_CLI_ANYTCPFWD 364 #endif 365 366 #if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD) 367 #define DROPBEAR_TCP_ACCEPT 368 #endif 369 370 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \ 371 defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \ 372 defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD) 373 #define USING_LISTENERS 374 #endif 375 376 #if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH) 377 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ 378 #endif 379 380 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH) 381 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" 382 #endif 383 384 #if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET) 385 #error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once" 386 #endif 387 388 #if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET) 389 #error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h" 390 #endif 391 392 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant 393 * code, if we're just compiling as client or server */ 394 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) 395 396 #define IS_DROPBEAR_SERVER (ses.isserver == 1) 397 #define IS_DROPBEAR_CLIENT (ses.isserver == 0) 398 399 #elif defined(DROPBEAR_SERVER) 400 401 #define IS_DROPBEAR_SERVER 1 402 #define IS_DROPBEAR_CLIENT 0 403 404 #elif defined(DROPBEAR_CLIENT) 405 406 #define IS_DROPBEAR_SERVER 0 407 #define IS_DROPBEAR_CLIENT 1 408 409 #else 410 #error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected 411 #endif 412 413 #endif /* _OPTIONS_H_ */ 414