ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-06-26 18:17:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

- Fix dependencies and remove old default_options.h from version control

Browse Source 
- Rename default_options.h.in -> default_options.h, and
  default_options.h -> default_options_guard.h
- Fix newlines in default_options.h
This commit is contained in:
Matt Johnston 2018-02-19 22:16:50 +08:00
parent 316c923188
commit 3f3f399231
5 changed files with 19 additions and 461 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Makefile.in
View File

@ -23,9 +23,10 @@ CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/
LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM)
endif endif
OPTION_HEADERS = default_options_guard.h sysoptions.h
ifneq ($(wildcard localoptions.h),) ifneq ($(wildcard localoptions.h),)
CFLAGS+=-DLOCALOPTIONS_H_EXISTS CFLAGS+=-DLOCALOPTIONS_H_EXISTS
LOCALOPTIONS_H=localoptions.h OPTION_HEADERS += localoptions.h
endif endif
COMMONOBJS=dbutil.o buffer.o dbhelpers.o \ COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
@ -98,7 +99,6 @@ ifneq (,$(strip $(foreach prog, $(PROGRAMS), $(findstring ZdbclientZ, Z$(prog)Z)
CFLAGS+= -DDROPBEAR_CLIENT CFLAGS+= -DDROPBEAR_CLIENT
endif endif
# these are exported so that libtomcrypt's makefile will use them # these are exported so that libtomcrypt's makefile will use them
export CC export CC
export CFLAGS export CFLAGS
@ -121,9 +121,16 @@ endif
all: $(TARGETS) all: $(TARGETS)
# a bit lazy, but safer # for simplicity assume all source depends on all headers
HEADERS=$(wildcard $(srcdir)/*.h *.h) HEADERS=$(wildcard $(srcdir)/*.h *.h) $(OPTION_HEADERS)
*.o: $(HEADERS) %.o : %.c $(HEADERS)
$(CC) -c $(CFLAGS) $(CPPFLAGS) $< -o $@
default_options_guard.h: default_options.h
@echo Creating $@
@printf "/*\n > > > Do not edit this file (default_options_guard.h) < < <\nGenerated from "$^"\nLocal customisation goes in localoptions.h\n*/\n\n" > $@.tmp
@$(srcdir)/ifndef_wrapper.sh < $^ >> $@.tmp
@mv $@.tmp $@
strip: $(TARGETS) strip: $(TARGETS)
$(STRIP) $(addsuffix $(EXEEXT), $(TARGETS)) $(STRIP) $(addsuffix $(EXEEXT), $(TARGETS))
@ -197,10 +204,10 @@ link%:
-rm -f $*$(EXEEXT) -rm -f $*$(EXEEXT)
-ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT) -ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT)
$(STATIC_LTC): $(STATIC_LTC): $(OPTION_HEADERS)
$(MAKE) -C libtomcrypt $(MAKE) -C libtomcrypt
$(STATIC_LTM): $(STATIC_LTM): $(OPTION_HEADERS)
$(MAKE) -C libtommath $(MAKE) -C libtommath
.PHONY : clean sizes thisclean distclean tidy ltc-clean ltm-clean .PHONY : clean sizes thisclean distclean tidy ltc-clean ltm-clean
@ -224,14 +231,7 @@ thisclean:
distclean: clean tidy distclean: clean tidy
-rm -f config.h -rm -f config.h
-rm -f Makefile -rm -f Makefile
-rm -f default_options_guard.h
tidy: tidy:
-rm -f *~ *.gcov */*~ -rm -f *~ *.gcov */*~
# default_options.h is stored in version control, could not find a workaround
# for parallel "make -j" and dependency rules.
default_options.h: default_options.h.in
@echo Creating $@
@echo "/*\n > > > Do not edit this file (default_options.h) < < <\nGenerated from "$^"\nLocal customisation goes in localoptions.h\n*/\n\n" > $@.tmp
@$(srcdir)/ifndef_wrapper.sh < $^ >> $@.tmp
@mv $@.tmp $@

155
default_options.h
View File

@ -1,16 +1,9 @@
/*
> > > Do not edit this file (default_options.h) < < <
Generated from ../default_options.h.in
Local customisation goes in localoptions.h
*/
#ifndef DROPBEAR_DEFAULT_OPTIONS_H_ #ifndef DROPBEAR_DEFAULT_OPTIONS_H_
#define DROPBEAR_DEFAULT_OPTIONS_H_ #define DROPBEAR_DEFAULT_OPTIONS_H_
/* /*
> > > Read This < < < > > > Read This < < <
default_options.h.in documents compile-time options, and provides default values. default_options.h documents compile-time options, and provides default values.
Local customisation should be added to localoptions.h which is Local customisation should be added to localoptions.h which is
used if it exists. Options defined there will override any options in this used if it exists. Options defined there will override any options in this
@ -20,25 +13,15 @@ Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS
IMPORTANT: Some options will require "make clean" after changes */ IMPORTANT: Some options will require "make clean" after changes */
#ifndef DROPBEAR_DEFPORT
#define DROPBEAR_DEFPORT "22" #define DROPBEAR_DEFPORT "22"
#endif
/* Listen on all interfaces */ /* Listen on all interfaces */
#ifndef DROPBEAR_DEFADDRESS
#define DROPBEAR_DEFADDRESS "" #define DROPBEAR_DEFADDRESS ""
#endif
/* Default hostkey paths - these can be specified on the command line */ /* Default hostkey paths - these can be specified on the command line */
#ifndef DSS_PRIV_FILENAME
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
#endif
#ifndef RSA_PRIV_FILENAME
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
#endif
#ifndef ECDSA_PRIV_FILENAME
#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
#endif
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
* on chosen ports and keeps accepting connections. This is the default. * on chosen ports and keeps accepting connections. This is the default.
@ -50,126 +33,76 @@ IMPORTANT: Some options will require "make clean" after changes */
* *
* Both of these flags can be defined at once, don't compile without at least * Both of these flags can be defined at once, don't compile without at least
* one of them. */ * one of them. */
#ifndef NON_INETD_MODE
#define NON_INETD_MODE 1 #define NON_INETD_MODE 1
#endif
#ifndef INETD_MODE
#define INETD_MODE 1 #define INETD_MODE 1
#endif
/* Include verbose debug output, enabled with -v at runtime. /* Include verbose debug output, enabled with -v at runtime.
* This will add a reasonable amount to your executable size. */ * This will add a reasonable amount to your executable size. */
#ifndef DEBUG_TRACE
#define DEBUG_TRACE 0 #define DEBUG_TRACE 0
#endif
/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
* several kB in binary size however will make the symmetrical ciphers and hashes * several kB in binary size however will make the symmetrical ciphers and hashes
* slower, perhaps by 50%. Recommended for small systems that aren't doing * slower, perhaps by 50%. Recommended for small systems that aren't doing
* much traffic. */ * much traffic. */
#ifndef DROPBEAR_SMALL_CODE
#define DROPBEAR_SMALL_CODE 1 #define DROPBEAR_SMALL_CODE 1
#endif
/* Enable X11 Forwarding - server only */ /* Enable X11 Forwarding - server only */
#ifndef DROPBEAR_X11FWD
#define DROPBEAR_X11FWD 1 #define DROPBEAR_X11FWD 1
#endif
/* Enable TCP Fowarding */ /* Enable TCP Fowarding */
/* 'Local' is "-L" style (client listening port forwarded via server) /* 'Local' is "-L" style (client listening port forwarded via server)
* 'Remote' is "-R" style (server listening port forwarded via client) */ * 'Remote' is "-R" style (server listening port forwarded via client) */
#ifndef DROPBEAR_CLI_LOCALTCPFWD
#define DROPBEAR_CLI_LOCALTCPFWD 1 #define DROPBEAR_CLI_LOCALTCPFWD 1
#endif
#ifndef DROPBEAR_CLI_REMOTETCPFWD
#define DROPBEAR_CLI_REMOTETCPFWD 1 #define DROPBEAR_CLI_REMOTETCPFWD 1
#endif
#ifndef DROPBEAR_SVR_LOCALTCPFWD
#define DROPBEAR_SVR_LOCALTCPFWD 1 #define DROPBEAR_SVR_LOCALTCPFWD 1
#endif
#ifndef DROPBEAR_SVR_REMOTETCPFWD
#define DROPBEAR_SVR_REMOTETCPFWD 1 #define DROPBEAR_SVR_REMOTETCPFWD 1
#endif
/* Enable Authentication Agent Forwarding */ /* Enable Authentication Agent Forwarding */
#ifndef DROPBEAR_SVR_AGENTFWD
#define DROPBEAR_SVR_AGENTFWD 1 #define DROPBEAR_SVR_AGENTFWD 1
#endif
#ifndef DROPBEAR_CLI_AGENTFWD
#define DROPBEAR_CLI_AGENTFWD 1 #define DROPBEAR_CLI_AGENTFWD 1
#endif
/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
* allow multihop dbclient connections */ * allow multihop dbclient connections */
/* Allow using -J <proxycommand> to run the connection through a /* Allow using -J <proxycommand> to run the connection through a
pipe to a program, rather the normal TCP connection */ pipe to a program, rather the normal TCP connection */
#ifndef DROPBEAR_CLI_PROXYCMD
#define DROPBEAR_CLI_PROXYCMD 1 #define DROPBEAR_CLI_PROXYCMD 1
#endif
/* Enable "Netcat mode" option. This will forward standard input/output /* Enable "Netcat mode" option. This will forward standard input/output
* to a remote TCP-forwarded connection */ * to a remote TCP-forwarded connection */
#ifndef DROPBEAR_CLI_NETCAT
#define DROPBEAR_CLI_NETCAT 1 #define DROPBEAR_CLI_NETCAT 1
#endif
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#ifndef DROPBEAR_USER_ALGO_LIST
#define DROPBEAR_USER_ALGO_LIST 1 #define DROPBEAR_USER_ALGO_LIST 1
#endif
/* Encryption - at least one required. /* Encryption - at least one required.
* AES128 should be enabled, some very old implementations might only * AES128 should be enabled, some very old implementations might only
* support 3DES. * support 3DES.
* Including both AES keysize variants (128 and 256) will result in * Including both AES keysize variants (128 and 256) will result in
* a minimal size increase */ * a minimal size increase */
#ifndef DROPBEAR_AES128
#define DROPBEAR_AES128 1 #define DROPBEAR_AES128 1
#endif
#ifndef DROPBEAR_3DES
#define DROPBEAR_3DES 1 #define DROPBEAR_3DES 1
#endif
#ifndef DROPBEAR_AES256
#define DROPBEAR_AES256 1 #define DROPBEAR_AES256 1
#endif
#ifndef DROPBEAR_TWOFISH256
#define DROPBEAR_TWOFISH256 0 #define DROPBEAR_TWOFISH256 0
#endif
#ifndef DROPBEAR_TWOFISH128
#define DROPBEAR_TWOFISH128 0 #define DROPBEAR_TWOFISH128 0
#endif
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
#ifndef DROPBEAR_BLOWFISH
#define DROPBEAR_BLOWFISH 0 #define DROPBEAR_BLOWFISH 0
#endif
/* Enable CBC mode for ciphers. This has security issues though /* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */ * is the most compatible with older SSH implementations */
#ifndef DROPBEAR_ENABLE_CBC_MODE
#define DROPBEAR_ENABLE_CBC_MODE 1 #define DROPBEAR_ENABLE_CBC_MODE 1
#endif
/* Enable "Counter Mode" for ciphers. This is more secure than /* Enable "Counter Mode" for ciphers. This is more secure than
* CBC mode against certain attacks. It is recommended for security * CBC mode against certain attacks. It is recommended for security
* and forwards compatibility */ * and forwards compatibility */
#ifndef DROPBEAR_ENABLE_CTR_MODE
#define DROPBEAR_ENABLE_CTR_MODE 1 #define DROPBEAR_ENABLE_CTR_MODE 1
#endif
/* Message integrity. sha2-256 is recommended as a default, /* Message integrity. sha2-256 is recommended as a default,
sha1 for compatibility */ sha1 for compatibility */
#ifndef DROPBEAR_SHA1_HMAC
#define DROPBEAR_SHA1_HMAC 1 #define DROPBEAR_SHA1_HMAC 1
#endif
#ifndef DROPBEAR_SHA1_96_HMAC
#define DROPBEAR_SHA1_96_HMAC 1 #define DROPBEAR_SHA1_96_HMAC 1
#endif
#ifndef DROPBEAR_SHA2_256_HMAC
#define DROPBEAR_SHA2_256_HMAC 1 #define DROPBEAR_SHA2_256_HMAC 1
#endif
/* Hostkey/public key algorithms - at least one required, these are used /* Hostkey/public key algorithms - at least one required, these are used
* for hostkey as well as for verifying signatures with pubkey auth. * for hostkey as well as for verifying signatures with pubkey auth.
@ -177,23 +110,15 @@ IMPORTANT: Some options will require "make clean" after changes */
* RSA is recommended * RSA is recommended
* DSS may be necessary to connect to some systems though * DSS may be necessary to connect to some systems though
is not recommended for new keys */ is not recommended for new keys */
#ifndef DROPBEAR_RSA
#define DROPBEAR_RSA 1 #define DROPBEAR_RSA 1
#endif
#ifndef DROPBEAR_DSS
#define DROPBEAR_DSS 1 #define DROPBEAR_DSS 1
#endif
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
* code (either ECDSA or ECDH) increases binary size - around 30kB * code (either ECDSA or ECDH) increases binary size - around 30kB
* on x86-64 */ * on x86-64 */
#ifndef DROPBEAR_ECDSA
#define DROPBEAR_ECDSA 1 #define DROPBEAR_ECDSA 1
#endif
/* RSA must be >=1024 */ /* RSA must be >=1024 */
#ifndef DROPBEAR_DEFAULT_RSA_SIZE
#define DROPBEAR_DEFAULT_RSA_SIZE 2048 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
#endif
/* DSS is always 1024 */ /* DSS is always 1024 */
/* ECDSA defaults to largest size configured, usually 521 */ /* ECDSA defaults to largest size configured, usually 521 */
@ -201,9 +126,7 @@ IMPORTANT: Some options will require "make clean" after changes */
connection using that key type occurs. connection using that key type occurs.
This avoids the need to otherwise run "dropbearkey" and avoids some problems This avoids the need to otherwise run "dropbearkey" and avoids some problems
with badly seeded /dev/urandom when systems first boot. */ with badly seeded /dev/urandom when systems first boot. */
#ifndef DROPBEAR_DELAY_HOSTKEY
#define DROPBEAR_DELAY_HOSTKEY 1 #define DROPBEAR_DELAY_HOSTKEY 1
#endif
/* Key exchange algorithm. /* Key exchange algorithm.
@ -226,24 +149,12 @@ IMPORTANT: Some options will require "make clean" after changes */
* Small systems should generally include either curve25519 or ecdh for performance. * Small systems should generally include either curve25519 or ecdh for performance.
* curve25519 is less widely supported but is faster * curve25519 is less widely supported but is faster
*/ */
#ifndef DROPBEAR_DH_GROUP1
#define DROPBEAR_DH_GROUP1 1 #define DROPBEAR_DH_GROUP1 1
#endif
#ifndef DROPBEAR_DH_GROUP14_SHA1
#define DROPBEAR_DH_GROUP14_SHA1 1 #define DROPBEAR_DH_GROUP14_SHA1 1
#endif
#ifndef DROPBEAR_DH_GROUP14_SHA256
#define DROPBEAR_DH_GROUP14_SHA256 1 #define DROPBEAR_DH_GROUP14_SHA256 1
#endif
#ifndef DROPBEAR_DH_GROUP16
#define DROPBEAR_DH_GROUP16 0 #define DROPBEAR_DH_GROUP16 0
#endif
#ifndef DROPBEAR_CURVE25519
#define DROPBEAR_CURVE25519 1 #define DROPBEAR_CURVE25519 1
#endif
#ifndef DROPBEAR_ECDH
#define DROPBEAR_ECDH 1 #define DROPBEAR_ECDH 1
#endif
/* Control the memory/performance/compression tradeoff for zlib. /* Control the memory/performance/compression tradeoff for zlib.
* Set windowBits=8 for least memory usage, see your system's * Set windowBits=8 for least memory usage, see your system's
@ -252,28 +163,18 @@ IMPORTANT: Some options will require "make clean" after changes */
* windowBits=8 will use 129kB for compression. * windowBits=8 will use 129kB for compression.
* Both modes will use ~35kB for decompression (using windowBits=15 for * Both modes will use ~35kB for decompression (using windowBits=15 for
* interoperability) */ * interoperability) */
#ifndef DROPBEAR_ZLIB_WINDOW_BITS
#define DROPBEAR_ZLIB_WINDOW_BITS 15 #define DROPBEAR_ZLIB_WINDOW_BITS 15
#endif
/* Whether to do reverse DNS lookups. */ /* Whether to do reverse DNS lookups. */
#ifndef DO_HOST_LOOKUP
#define DO_HOST_LOOKUP 0 #define DO_HOST_LOOKUP 0
#endif
/* Whether to print the message of the day (MOTD). */ /* Whether to print the message of the day (MOTD). */
#ifndef DO_MOTD
#define DO_MOTD 0 #define DO_MOTD 0
#endif
#ifndef MOTD_FILENAME
#define MOTD_FILENAME "/etc/motd" #define MOTD_FILENAME "/etc/motd"
#endif
/* Authentication Types - at least one required. /* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */ RFC Draft requires pubkey auth, and recommends password */
#ifndef DROPBEAR_SVR_PASSWORD_AUTH
#define DROPBEAR_SVR_PASSWORD_AUTH 1 #define DROPBEAR_SVR_PASSWORD_AUTH 1
#endif
/* Note: PAM auth is quite simple and only works for PAM modules which just do /* Note: PAM auth is quite simple and only works for PAM modules which just do
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@ -281,119 +182,79 @@ IMPORTANT: Some options will require "make clean" after changes */
* but there's an interface via a PAM module. It won't work for more complex * but there's an interface via a PAM module. It won't work for more complex
* PAM challenge/response. * PAM challenge/response.
* You can't enable both PASSWORD and PAM. */ * You can't enable both PASSWORD and PAM. */
#ifndef DROPBEAR_SVR_PAM_AUTH
#define DROPBEAR_SVR_PAM_AUTH 0 #define DROPBEAR_SVR_PAM_AUTH 0
#endif
/* ~/.ssh/authorized_keys authentication */ /* ~/.ssh/authorized_keys authentication */
#ifndef DROPBEAR_SVR_PUBKEY_AUTH
#define DROPBEAR_SVR_PUBKEY_AUTH 1 #define DROPBEAR_SVR_PUBKEY_AUTH 1
#endif
/* Whether to take public key options in /* Whether to take public key options in
* authorized_keys file into account */ * authorized_keys file into account */
#ifndef DROPBEAR_SVR_PUBKEY_OPTIONS
#define DROPBEAR_SVR_PUBKEY_OPTIONS 1 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
#endif
/* Client authentication options */ /* Client authentication options */
#ifndef DROPBEAR_CLI_PASSWORD_AUTH
#define DROPBEAR_CLI_PASSWORD_AUTH 1 #define DROPBEAR_CLI_PASSWORD_AUTH 1
#endif
#ifndef DROPBEAR_CLI_PUBKEY_AUTH
#define DROPBEAR_CLI_PUBKEY_AUTH 1 #define DROPBEAR_CLI_PUBKEY_AUTH 1
#endif
/* A default argument for dbclient -i <privatekey>. /* A default argument for dbclient -i <privatekey>.
Homedir is prepended unless path begins with / */ Homedir is prepended unless path begins with / */
#ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY
#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
#endif
/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
* environment variable. */ * environment variable. */
#ifndef DROPBEAR_USE_PASSWORD_ENV
#define DROPBEAR_USE_PASSWORD_ENV 1 #define DROPBEAR_USE_PASSWORD_ENV 1
#endif
/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
* a helper program for the ssh client. The helper program should be * a helper program for the ssh client. The helper program should be
* specified in the SSH_ASKPASS environment variable, and dbclient * specified in the SSH_ASKPASS environment variable, and dbclient
* should be run with DISPLAY set and no tty. The program should * should be run with DISPLAY set and no tty. The program should
* return the password on standard output */ * return the password on standard output */
#ifndef DROPBEAR_CLI_ASKPASS_HELPER
#define DROPBEAR_CLI_ASKPASS_HELPER 0 #define DROPBEAR_CLI_ASKPASS_HELPER 0
#endif
/* Save a network roundtrip by sendng a real auth request immediately after /* Save a network roundtrip by sendng a real auth request immediately after
* sending a query for the available methods. This is not yet enabled by default * sending a query for the available methods. This is not yet enabled by default
since it could cause problems with non-compliant servers */ since it could cause problems with non-compliant servers */
#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH
#define DROPBEAR_CLI_IMMEDIATE_AUTH 0 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
#endif
/* Set this to use PRNGD or EGD instead of /dev/urandom */ /* Set this to use PRNGD or EGD instead of /dev/urandom */
#ifndef DROPBEAR_USE_PRNGD
#define DROPBEAR_USE_PRNGD 0 #define DROPBEAR_USE_PRNGD 0
#endif
#ifndef DROPBEAR_PRNGD_SOCKET
#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
#endif
/* Specify the number of clients we will allow to be connected but /* Specify the number of clients we will allow to be connected but
* not yet authenticated. After this limit, connections are rejected */ * not yet authenticated. After this limit, connections are rejected */
/* The first setting is per-IP, to avoid denial of service */ /* The first setting is per-IP, to avoid denial of service */
#ifndef MAX_UNAUTH_PER_IP
#define MAX_UNAUTH_PER_IP 5 #define MAX_UNAUTH_PER_IP 5
#endif
/* And then a global limit to avoid chewing memory if connections /* And then a global limit to avoid chewing memory if connections
* come from many IPs */ * come from many IPs */
#ifndef MAX_UNAUTH_CLIENTS
#define MAX_UNAUTH_CLIENTS 30 #define MAX_UNAUTH_CLIENTS 30
#endif
/* Default maximum number of failed authentication tries (server option) */ /* Default maximum number of failed authentication tries (server option) */
/* -T server option overrides */ /* -T server option overrides */
#ifndef MAX_AUTH_TRIES
#define MAX_AUTH_TRIES 10 #define MAX_AUTH_TRIES 10
#endif
/* The default file to store the daemon's process ID, for shutdown /* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */ scripts etc. This can be overridden with the -P flag */
#ifndef DROPBEAR_PIDFILE
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid" #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
#endif
/* The command to invoke for xauth when using X11 forwarding. /* The command to invoke for xauth when using X11 forwarding.
* "-q" for quiet */ * "-q" for quiet */
#ifndef XAUTH_COMMAND
#define XAUTH_COMMAND "/usr/bin/xauth -q" #define XAUTH_COMMAND "/usr/bin/xauth -q"
#endif
/* if you want to enable running an sftp server (such as the one included with /* if you want to enable running an sftp server (such as the one included with
* OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
* The sftp-server program is not provided by Dropbear itself */ * The sftp-server program is not provided by Dropbear itself */
#ifndef DROPBEAR_SFTPSERVER
#define DROPBEAR_SFTPSERVER 1 #define DROPBEAR_SFTPSERVER 1
#endif
#ifndef SFTPSERVER_PATH
#define SFTPSERVER_PATH "/usr/libexec/sftp-server" #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
#endif
/* This is used by the scp binary when used as a client binary. If you're /* This is used by the scp binary when used as a client binary. If you're
* not using the Dropbear client, you'll need to change it */ * not using the Dropbear client, you'll need to change it */
#ifndef DROPBEAR_PATH_SSH_PROGRAM
#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
#endif
/* Whether to log commands executed by a client. This only logs the /* Whether to log commands executed by a client. This only logs the
* (single) command sent to the server, not what a user did in a * (single) command sent to the server, not what a user did in a
* shell/sftp session etc. */ * shell/sftp session etc. */
#ifndef LOG_COMMANDS
#define LOG_COMMANDS 0 #define LOG_COMMANDS 0
#endif
/* Window size limits. These tend to be a trade-off between memory /* Window size limits. These tend to be a trade-off between memory
usage and network performance: */ usage and network performance: */
@ -402,42 +263,28 @@ Homedir is prepended unless path begins with / */
significant difference to network performance. 24kB was empirically significant difference to network performance. 24kB was empirically
chosen for a 100mbit ethernet network. The value can be altered at chosen for a 100mbit ethernet network. The value can be altered at
runtime with the -W argument. */ runtime with the -W argument. */
#ifndef DEFAULT_RECV_WINDOW
#define DEFAULT_RECV_WINDOW 24576 #define DEFAULT_RECV_WINDOW 24576
#endif
/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
in order to interoperate with other implementations */ in order to interoperate with other implementations */
#ifndef RECV_MAX_PAYLOAD_LEN
#define RECV_MAX_PAYLOAD_LEN 32768 #define RECV_MAX_PAYLOAD_LEN 32768
#endif
/* Maximum size of a transmitted data packet - this can be any value, /* Maximum size of a transmitted data packet - this can be any value,
though increasing it may not make a significant difference. */ though increasing it may not make a significant difference. */
#ifndef TRANS_MAX_PAYLOAD_LEN
#define TRANS_MAX_PAYLOAD_LEN 16384 #define TRANS_MAX_PAYLOAD_LEN 16384
#endif
/* Ensure that data is transmitted every KEEPALIVE seconds. This can /* Ensure that data is transmitted every KEEPALIVE seconds. This can
be overridden at runtime with -K. 0 disables keepalives */ be overridden at runtime with -K. 0 disables keepalives */
#ifndef DEFAULT_KEEPALIVE
#define DEFAULT_KEEPALIVE 0 #define DEFAULT_KEEPALIVE 0
#endif
/* If this many KEEPALIVES are sent with no packets received from the /* If this many KEEPALIVES are sent with no packets received from the
other side, exit. Not run-time configurable - if you have a need other side, exit. Not run-time configurable - if you have a need
for runtime configuration please mail the Dropbear list */ for runtime configuration please mail the Dropbear list */
#ifndef DEFAULT_KEEPALIVE_LIMIT
#define DEFAULT_KEEPALIVE_LIMIT 3 #define DEFAULT_KEEPALIVE_LIMIT 3
#endif
/* Ensure that data is received within IDLE_TIMEOUT seconds. This can /* Ensure that data is received within IDLE_TIMEOUT seconds. This can
be overridden at runtime with -I. 0 disables idle timeouts */ be overridden at runtime with -I. 0 disables idle timeouts */
#ifndef DEFAULT_IDLE_TIMEOUT
#define DEFAULT_IDLE_TIMEOUT 0 #define DEFAULT_IDLE_TIMEOUT 0
#endif
/* The default path. This will often get replaced by the shell */ /* The default path. This will often get replaced by the shell */
#ifndef DEFAULT_PATH
#define DEFAULT_PATH "/usr/bin:/bin" #define DEFAULT_PATH "/usr/bin:/bin"
#endif
#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */

290
default_options.h.in
View File

@ -1,290 +0,0 @@
#ifndef DROPBEAR_DEFAULT_OPTIONS_H_
#define DROPBEAR_DEFAULT_OPTIONS_H_
/*
> > > Read This < < <
default_options.h.in documents compile-time options, and provides default values.
Local customisation should be added to localoptions.h which is
used if it exists. Options defined there will override any options in this
file.
Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS
IMPORTANT: Some options will require "make clean" after changes */
#define DROPBEAR_DEFPORT "22"
/* Listen on all interfaces */
#define DROPBEAR_DEFADDRESS ""
/* Default hostkey paths - these can be specified on the command line */
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
* on chosen ports and keeps accepting connections. This is the default.
*
* Set INETD_MODE if you want to be able to run Dropbear with inetd (or
* similar), where it will use stdin/stdout for connections, and each process
* lasts for a single connection. Dropbear should be invoked with the -i flag
* for inetd, and can only accept IPv4 connections.
*
* Both of these flags can be defined at once, don't compile without at least
* one of them. */
#define NON_INETD_MODE 1
#define INETD_MODE 1
/* Include verbose debug output, enabled with -v at runtime.
* This will add a reasonable amount to your executable size. */
#define DEBUG_TRACE 0
/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
* several kB in binary size however will make the symmetrical ciphers and hashes
* slower, perhaps by 50%. Recommended for small systems that aren't doing
* much traffic. */
#define DROPBEAR_SMALL_CODE 1
/* Enable X11 Forwarding - server only */
#define DROPBEAR_X11FWD 1
/* Enable TCP Fowarding */
/* 'Local' is "-L" style (client listening port forwarded via server)
* 'Remote' is "-R" style (server listening port forwarded via client) */
#define DROPBEAR_CLI_LOCALTCPFWD 1
#define DROPBEAR_CLI_REMOTETCPFWD 1
#define DROPBEAR_SVR_LOCALTCPFWD 1
#define DROPBEAR_SVR_REMOTETCPFWD 1
/* Enable Authentication Agent Forwarding */
#define DROPBEAR_SVR_AGENTFWD 1
#define DROPBEAR_CLI_AGENTFWD 1
/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
* allow multihop dbclient connections */
/* Allow using -J <proxycommand> to run the connection through a
pipe to a program, rather the normal TCP connection */
#define DROPBEAR_CLI_PROXYCMD 1
/* Enable "Netcat mode" option. This will forward standard input/output
* to a remote TCP-forwarded connection */
#define DROPBEAR_CLI_NETCAT 1
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#define DROPBEAR_USER_ALGO_LIST 1
/* Encryption - at least one required.
* AES128 should be enabled, some very old implementations might only
* support 3DES.
* Including both AES keysize variants (128 and 256) will result in
* a minimal size increase */
#define DROPBEAR_AES128 1
#define DROPBEAR_3DES 1
#define DROPBEAR_AES256 1
#define DROPBEAR_TWOFISH256 0
#define DROPBEAR_TWOFISH128 0
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
#define DROPBEAR_BLOWFISH 0
/* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */
#define DROPBEAR_ENABLE_CBC_MODE 1
/* Enable "Counter Mode" for ciphers. This is more secure than
* CBC mode against certain attacks. It is recommended for security
* and forwards compatibility */
#define DROPBEAR_ENABLE_CTR_MODE 1
/* Message integrity. sha2-256 is recommended as a default,
sha1 for compatibility */
#define DROPBEAR_SHA1_HMAC 1
#define DROPBEAR_SHA1_96_HMAC 1
#define DROPBEAR_SHA2_256_HMAC 1
/* Hostkey/public key algorithms - at least one required, these are used
* for hostkey as well as for verifying signatures with pubkey auth.
* Removing either of these won't save very much space.
* RSA is recommended
* DSS may be necessary to connect to some systems though
is not recommended for new keys */
#define DROPBEAR_RSA 1
#define DROPBEAR_DSS 1
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
* code (either ECDSA or ECDH) increases binary size - around 30kB
* on x86-64 */
#define DROPBEAR_ECDSA 1
/* RSA must be >=1024 */
#define DROPBEAR_DEFAULT_RSA_SIZE 2048
/* DSS is always 1024 */
/* ECDSA defaults to largest size configured, usually 521 */
/* Add runtime flag "-R" to generate hostkeys as-needed when the first
connection using that key type occurs.
This avoids the need to otherwise run "dropbearkey" and avoids some problems
with badly seeded /dev/urandom when systems first boot. */
#define DROPBEAR_DELAY_HOSTKEY 1
/* Key exchange algorithm.
* group14_sha1 - 2048 bit, sha1
* group14_sha256 - 2048 bit, sha2-256
* group16 - 4096 bit, sha2-512
* group1 - 1024 bit, sha1
* curve25519 - elliptic curve DH
* ecdh - NIST elliptic curve DH (256, 384, 521)
*
* group1 is too small for security though is necessary if you need
compatibility with some implementations such as Dropbear versions < 0.53
* group14 is supported by most implementations.
* group16 provides a greater strength level but is slower and increases binary size
* curve25519 and ecdh algorithms are faster than non-elliptic curve methods
* curve25519 increases binary size by ~8kB on x86-64
* including either ECDH or ECDSA increases binary size by ~30kB on x86-64
* Small systems should generally include either curve25519 or ecdh for performance.
* curve25519 is less widely supported but is faster
*/
#define DROPBEAR_DH_GROUP1 1
#define DROPBEAR_DH_GROUP14_SHA1 1
#define DROPBEAR_DH_GROUP14_SHA256 1
#define DROPBEAR_DH_GROUP16 0
#define DROPBEAR_CURVE25519 1
#define DROPBEAR_ECDH 1
/* Control the memory/performance/compression tradeoff for zlib.
* Set windowBits=8 for least memory usage, see your system's
* zlib.h for full details.
* Default settings (windowBits=15) will use 256kB for compression
* windowBits=8 will use 129kB for compression.
* Both modes will use ~35kB for decompression (using windowBits=15 for
* interoperability) */
#define DROPBEAR_ZLIB_WINDOW_BITS 15
/* Whether to do reverse DNS lookups. */
#define DO_HOST_LOOKUP 0
/* Whether to print the message of the day (MOTD). */
#define DO_MOTD 0
#define MOTD_FILENAME "/etc/motd"
/* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */
#define DROPBEAR_SVR_PASSWORD_AUTH 1
/* Note: PAM auth is quite simple and only works for PAM modules which just do
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
* It's useful for systems like OS X where standard password crypts don't work
* but there's an interface via a PAM module. It won't work for more complex
* PAM challenge/response.
* You can't enable both PASSWORD and PAM. */
#define DROPBEAR_SVR_PAM_AUTH 0
/* ~/.ssh/authorized_keys authentication */
#define DROPBEAR_SVR_PUBKEY_AUTH 1
/* Whether to take public key options in
* authorized_keys file into account */
#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
/* Client authentication options */
#define DROPBEAR_CLI_PASSWORD_AUTH 1
#define DROPBEAR_CLI_PUBKEY_AUTH 1
/* A default argument for dbclient -i <privatekey>.
Homedir is prepended unless path begins with / */
#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
* environment variable. */
#define DROPBEAR_USE_PASSWORD_ENV 1
/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
* a helper program for the ssh client. The helper program should be
* specified in the SSH_ASKPASS environment variable, and dbclient
* should be run with DISPLAY set and no tty. The program should
* return the password on standard output */
#define DROPBEAR_CLI_ASKPASS_HELPER 0
/* Save a network roundtrip by sendng a real auth request immediately after
* sending a query for the available methods. This is not yet enabled by default
since it could cause problems with non-compliant servers */
#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
/* Set this to use PRNGD or EGD instead of /dev/urandom */
#define DROPBEAR_USE_PRNGD 0
#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
/* Specify the number of clients we will allow to be connected but
* not yet authenticated. After this limit, connections are rejected */
/* The first setting is per-IP, to avoid denial of service */
#define MAX_UNAUTH_PER_IP 5
/* And then a global limit to avoid chewing memory if connections
* come from many IPs */
#define MAX_UNAUTH_CLIENTS 30
/* Default maximum number of failed authentication tries (server option) */
/* -T server option overrides */
#define MAX_AUTH_TRIES 10
/* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
/* The command to invoke for xauth when using X11 forwarding.
* "-q" for quiet */
#define XAUTH_COMMAND "/usr/bin/xauth -q"
/* if you want to enable running an sftp server (such as the one included with
* OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
* The sftp-server program is not provided by Dropbear itself */
#define DROPBEAR_SFTPSERVER 1
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
/* This is used by the scp binary when used as a client binary. If you're
* not using the Dropbear client, you'll need to change it */
#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
/* Whether to log commands executed by a client. This only logs the
* (single) command sent to the server, not what a user did in a
* shell/sftp session etc. */
#define LOG_COMMANDS 0
/* Window size limits. These tend to be a trade-off between memory
usage and network performance: */
/* Size of the network receive window. This amount of memory is allocated
as a per-channel receive buffer. Increasing this value can make a
significant difference to network performance. 24kB was empirically
chosen for a 100mbit ethernet network. The value can be altered at
runtime with the -W argument. */
#define DEFAULT_RECV_WINDOW 24576
/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
in order to interoperate with other implementations */
#define RECV_MAX_PAYLOAD_LEN 32768
/* Maximum size of a transmitted data packet - this can be any value,
though increasing it may not make a significant difference. */
#define TRANS_MAX_PAYLOAD_LEN 16384
/* Ensure that data is transmitted every KEEPALIVE seconds. This can
be overridden at runtime with -K. 0 disables keepalives */
#define DEFAULT_KEEPALIVE 0
/* If this many KEEPALIVES are sent with no packets received from the
other side, exit. Not run-time configurable - if you have a need
for runtime configuration please mail the Dropbear list */
#define DEFAULT_KEEPALIVE_LIMIT 3
/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
be overridden at runtime with -I. 0 disables idle timeouts */
#define DEFAULT_IDLE_TIMEOUT 0
/* The default path. This will often get replaced by the shell */
#define DEFAULT_PATH "/usr/bin:/bin"
#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */

2
ifndef_wrapper.sh
View File

@ -2,6 +2,6 @@
# Wrap all "#define X Y" with a #ifndef X...#endif" # Wrap all "#define X Y" with a #ifndef X...#endif"
sed -E 's/^(#define ([^ ]+) .*)/#ifndef \2\ sed -E 's/^( *#define ([^ ]+) .*)/#ifndef \2\
\1\ \1\
#endif/' #endif/'

3
options.h
View File

@ -15,7 +15,8 @@ See default_options.h.in for a description of the available options.
#include "localoptions.h" #include "localoptions.h"
#endif #endif
#include "default_options.h" /* default_options.h is processed to add #ifndef guards */
#include "default_options_guard.h"
/* Some other defines that mostly should be left alone are defined /* Some other defines that mostly should be left alone are defined
* in sysoptions.h */ * in sysoptions.h */