mirror of
https://github.com/clearml/dropbear
synced 2025-01-31 10:57:01 +00:00
328 lines
10 KiB
C
328 lines
10 KiB
C
/*
|
|
* Dropbear - a SSH2 server
|
|
*
|
|
* Copyright (c) 2002,2003 Matt Johnston
|
|
* All rights reserved.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE. */
|
|
|
|
#ifndef _OPTIONS_H_
|
|
#define _OPTIONS_H_
|
|
|
|
/******************************************************************
|
|
* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
|
|
* parts are to allow for commandline -DDROPBEAR_XXX options etc.
|
|
******************************************************************/
|
|
#define DROPBEAR_SERVER
|
|
/* #define DROPBEAR_CLIENT */
|
|
|
|
#ifndef DROPBEAR_PORT
|
|
#define DROPBEAR_PORT 22
|
|
#endif
|
|
|
|
/* Default hostkey paths - these can be specified on the command line */
|
|
#ifndef DSS_PRIV_FILENAME
|
|
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
|
|
#endif
|
|
#ifndef RSA_PRIV_FILENAME
|
|
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
|
|
#endif
|
|
|
|
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
|
|
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
|
|
* if you want to use this) */
|
|
/*#define NO_FAST_EXPTMOD*/
|
|
|
|
/* Enable X11 Forwarding */
|
|
#define ENABLE_X11FWD
|
|
|
|
/* Enable TCP Fowarding */
|
|
/* OpenSSH's "-L" style forwarding (client port forwarded via server) */
|
|
#define ENABLE_LOCALTCPFWD
|
|
/* OpenSSH's "-R" style forwarding (server port forwarded via client) */
|
|
#define ENABLE_REMOTETCPFWD
|
|
|
|
/* Enable Authentication Agent Forwarding */
|
|
#define ENABLE_AGENTFWD
|
|
|
|
/* Encryption - at least one required.
|
|
* RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */
|
|
#define DROPBEAR_AES128_CBC
|
|
#define DROPBEAR_BLOWFISH_CBC
|
|
#define DROPBEAR_TWOFISH128_CBC
|
|
#define DROPBEAR_3DES_CBC
|
|
|
|
/* Integrity - at least one required.
|
|
* RFC Draft requires sha1-hmac, and recommends md5-hmac.
|
|
*
|
|
* Note: there's no point disabling sha1 to save space, since it's used in the
|
|
* for the random number generator and public-key cryptography anyway.
|
|
* Disabling it here will just stop it from being used as the integrity portion
|
|
* of the ssh protocol.
|
|
*
|
|
* These are also used for key fingerprints in logs (when pubkey auth is used),
|
|
* MD5 fingerprints are printed if available, however SHA1 fingerprints will be
|
|
* generated otherwise. This isn't exactly optimal, although SHA1 fingerprints
|
|
* are not too hard to create from pubkeys if required. */
|
|
#define DROPBEAR_SHA1_HMAC
|
|
#define DROPBEAR_MD5_HMAC
|
|
|
|
/* Hostkey/public key algorithms - at least one required, these are used
|
|
* for hostkey as well as for verifying signatures with pubkey auth.
|
|
* Removing either of these won't save very much space.
|
|
* SSH2 RFC Draft requires dss, recommends rsa */
|
|
#define DROPBEAR_RSA
|
|
#define DROPBEAR_DSS
|
|
|
|
/* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
|
|
* rather than just from the random byte source. Undefining this will save you
|
|
* ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
|
|
* if the random number source isn't good. In general this isn't required */
|
|
/* #define DSS_PROTOK */
|
|
|
|
/* Whether to do reverse DNS lookups. This is advisable, though will add
|
|
* code size with gethostbyname() etc, so for very small environments where
|
|
* you are statically linking, you might want to undefine this */
|
|
#define DO_HOST_LOOKUP
|
|
|
|
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
|
* size */
|
|
#define DO_MOTD
|
|
|
|
/* The MOTD file path */
|
|
#ifndef MOTD_FILENAME
|
|
#define MOTD_FILENAME "/etc/motd"
|
|
#endif
|
|
|
|
/* Authentication types to enable, at least one required.
|
|
RFC Draft requires pubkey auth, and recommends password */
|
|
#define DROPBEAR_PASSWORD_AUTH
|
|
#define DROPBEAR_PUBKEY_AUTH
|
|
|
|
/* Random device to use - you must specify _one only_.
|
|
* DEV_RANDOM is recommended on hosts with a good /dev/urandom, otherwise use
|
|
* PRNGD and run prngd, specifying the socket. This device must be able to
|
|
* produce a large amount of random data, so using /dev/random or Entropy
|
|
* Gathering Daemon (egd) may result in halting, as it waits for more random
|
|
* data */
|
|
#define DROPBEAR_DEV_URANDOM /* use /dev/urandom */
|
|
|
|
/*#undef DROPBEAR_PRNGD */ /* use prngd socket - you must manually set up prngd
|
|
to produce output */
|
|
#ifndef DROPBEAR_PRNGD_SOCKET
|
|
#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
|
|
#endif
|
|
|
|
/* Specify the number of clients we will allow to be connected but
|
|
* not yet authenticated. After this limit, connections are rejected */
|
|
#ifndef MAX_UNAUTH_CLIENTS
|
|
#define MAX_UNAUTH_CLIENTS 30
|
|
#endif
|
|
|
|
/* Maximum number of failed authentication tries */
|
|
#ifndef MAX_AUTH_TRIES
|
|
#define MAX_AUTH_TRIES 10
|
|
#endif
|
|
|
|
/* The file to store the daemon's process ID, for shutdown scripts etc */
|
|
#ifndef DROPBEAR_PIDFILE
|
|
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
|
|
#endif
|
|
|
|
/* The command to invoke for xauth when using X11 forwarding.
|
|
* "-q" for quiet */
|
|
#ifndef XAUTH_COMMAND
|
|
#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q"
|
|
#endif
|
|
|
|
/* if you want to enable running an sftp server (such as the one included with
|
|
* OpenSSH), set the path below. If the path isn't defined, sftp will not
|
|
* be enabled */
|
|
#ifndef SFTPSERVER_PATH
|
|
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
|
|
#endif
|
|
|
|
/* This is used by the scp binary when used as a client binary */
|
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
|
|
|
/* Multi-purpose binary configuration - if you want to make the combined
|
|
* binary, first define DROPBEAR_MULTI, and then define which of the three
|
|
* components you want. You should then compile Dropbear with
|
|
* "make clean; make dropbearmulti". You'll need to install the binary
|
|
* manually, see MULTI for details */
|
|
|
|
/* #define DROPBEAR_MULTI */
|
|
|
|
/* The three multi binaries: dropbear, dropbearkey, dropbearconvert
|
|
* Comment out these if you don't want some of them */
|
|
#define DBMULTI_DROPBEAR
|
|
#define DBMULTI_KEY
|
|
#define DBMULTI_CONVERT
|
|
|
|
|
|
/*******************************************************************
|
|
* You shouldn't edit below here unless you know you need to.
|
|
*******************************************************************/
|
|
|
|
#ifndef DROPBEAR_VERSION
|
|
#define DROPBEAR_VERSION "0.41"
|
|
#endif
|
|
|
|
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
|
|
#define PROGNAME "dropbear"
|
|
|
|
/* Spec recommends after one hour or 1 gigabyte of data. One hour
|
|
* is a bit too verbose, so we try 8 hours */
|
|
#ifndef KEX_REKEY_TIMEOUT
|
|
#define KEX_REKEY_TIMEOUT (3600 * 8)
|
|
#endif
|
|
#ifndef KEX_REKEY_DATA
|
|
#define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
|
|
#endif
|
|
/* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
|
|
#ifndef AUTH_TIMEOUT
|
|
#define AUTH_TIMEOUT 300 /* we choose 5 minutes */
|
|
#endif
|
|
|
|
/* Minimum key sizes for DSS and RSA */
|
|
#ifndef MIN_DSS_KEYLEN
|
|
#define MIN_DSS_KEYLEN 512
|
|
#endif
|
|
#ifndef MIN_RSA_KEYLEN
|
|
#define MIN_RSA_KEYLEN 512
|
|
#endif
|
|
|
|
#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
|
|
|
|
#define DEV_URANDOM "/dev/urandom"
|
|
|
|
/* the number of NAME=VALUE pairs to malloc for environ, if we don't have
|
|
* the clearenv() function */
|
|
#define ENV_SIZE 100
|
|
|
|
#define MAX_CMD_LEN 1024 /* max length of a command */
|
|
#define MAX_TERM_LEN 200 /* max length of TERM name */
|
|
|
|
#define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
|
|
#define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
|
|
|
|
#define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
|
|
ipv4 and ipv6 don't count twice */
|
|
|
|
#define _PATH_TTY "/dev/tty"
|
|
|
|
/* Timeouts in seconds */
|
|
#define SELECT_TIMEOUT 20
|
|
|
|
/* success/failure defines */
|
|
#define DROPBEAR_SUCCESS 0
|
|
#define DROPBEAR_FAILURE -1
|
|
|
|
/* various algorithm identifiers */
|
|
#define DROPBEAR_KEX_DH_GROUP1 0
|
|
|
|
#define DROPBEAR_SIGNKEY_ANY 0
|
|
#define DROPBEAR_SIGNKEY_RSA 1
|
|
#define DROPBEAR_SIGNKEY_DSS 2
|
|
|
|
#define DROPBEAR_COMP_NONE 0
|
|
#define DROPBEAR_COMP_ZLIB 1
|
|
|
|
/* Required for pubkey auth */
|
|
#ifdef DROPBEAR_PUBKEY_AUTH
|
|
#define DROPBEAR_SIGNKEY_VERIFY
|
|
#endif
|
|
|
|
/* SHA1 is 20 bytes == 160 bits */
|
|
#define SHA1_HASH_SIZE 20
|
|
/* SHA512 is 64 bytes == 512 bits */
|
|
#define SHA512_HASH_SIZE 64
|
|
/* MD5 is 16 bytes = 128 bits */
|
|
#define MD5_HASH_SIZE 16
|
|
|
|
/* largest of MD5 and SHA1 */
|
|
#define MAX_MAC_LEN SHA1_HASH_SIZE
|
|
|
|
|
|
#define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */
|
|
#define MAX_IV_LEN 20 /* must be same as max blocksize,
|
|
and >= SHA1_HASH_SIZE */
|
|
#define MAX_MAC_KEY 20
|
|
|
|
#define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
|
|
explicitly specified for all protocols (just
|
|
for algos) but seems valid */
|
|
|
|
#define MAX_PROPOSED_ALGO 20
|
|
|
|
/* size/count limits */
|
|
#define MAX_LISTEN_ADDR 10
|
|
|
|
#define MAX_PACKET_LEN 35000
|
|
#define MIN_PACKET_LEN 16
|
|
#define MAX_PAYLOAD_LEN 32768
|
|
|
|
#define MAX_TRANS_PAYLOAD_LEN 32768
|
|
#define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50)
|
|
|
|
#define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
|
|
#define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */
|
|
|
|
#define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
|
|
is the max length for a password etc */
|
|
|
|
#ifndef ENABLE_X11FWD
|
|
#define DISABLE_X11FWD
|
|
#endif
|
|
|
|
#ifndef ENABLE_AGENTFWD
|
|
#define DISABLE_AGENTFWD
|
|
#endif
|
|
|
|
#ifndef ENABLE_LOCALTCPFWD
|
|
#define DISABLE_LOCALTCPFWD
|
|
#endif
|
|
|
|
#ifndef ENABLE_REMOTETCPFWD
|
|
#define DISABLE_REMOTETCPFWD
|
|
#endif
|
|
|
|
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
|
|
* code, if we're just compiling as client or server */
|
|
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
|
|
|
|
#define IS_DROPBEAR_SERVER (ses.isserver == 1)
|
|
#define IS_DROPBEAR_CLIENT (ses.isserver == 0)
|
|
|
|
#elif defined(DROPBEAR_SERVER)
|
|
|
|
#define IS_DROPBEAR_SERVER 1
|
|
#define IS_DROPBEAR_CLIENT 0
|
|
|
|
#elif defined(DROPBEAR_CLIENT)
|
|
|
|
#define IS_DROPBEAR_SERVER 0
|
|
#define IS_DROPBEAR_CLIENT 1
|
|
|
|
#else
|
|
#error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected
|
|
#endif
|
|
|
|
#endif /* _OPTIONS_H_ */
|