diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2012-05-16 22:54:51 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2012-05-16 22:54:51 +0800 |
| commit | f40ed8bad70fc9bb2ffb3cb7f81dd0352103612b (patch) | |
| tree | b124a417e1420f5fbb976d03f40417b15d162e9c /options.h | |
| parent | 41f50057f1671f4fd44cf7bc752a54f0897b709c (diff) | |
| parent | 1912439526aff3ebb50aaf370b1744ba3d3e8fc5 (diff) | |
Update insecure-nocrypto to current head
--HG--
branch : insecure-nocrypto
Diffstat (limited to 'options.h')
| -rw-r--r-- | options.h | 20 |
1 files changed, 19 insertions, 1 deletions
@@ -97,6 +97,18 @@ much traffic. */ * size and is recommended for most cases */ #define DROPBEAR_ENABLE_CTR_MODE +/* You can compile with no encryption if you want. In some circumstances + * this could be safe security-wise, though make sure you know what + * you're doing. Anyone can see everything that goes over the wire, so + * the only safe auth method is public key. You'll have to disable all other + * ciphers above in the client if you want to use this, or implement cipher + * prioritisation in cli-runopts. + * + * The best way to do things is probably make normal compile of dropbear with + * all ciphers including "none" as the server, then recompile a special + * "dbclient-insecure" client. */ +/* #define DROPBEAR_NONE_CIPHER */ + /* Message Integrity - at least one required. * Protocol RFC requires sha1 and recommends sha1-96. * sha1-96 is of use for slow links as it has a smaller overhead. @@ -109,13 +121,19 @@ much traffic. */ * These hashes are also used for public key fingerprints in logs. * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ - #define DROPBEAR_SHA1_HMAC #define DROPBEAR_SHA1_96_HMAC /*#define DROPBEAR_SHA2_256_HMAC*/ /*#define DROPBEAR_SHA2_512_HMAC*/ #define DROPBEAR_MD5_HMAC +/* You can also disable integrity. Don't bother disabling this if you're + * still using a cipher, it's relatively cheap. If you disable this it's dead + * simple to run arbitrary commands on the remote host. Beware. + * Note again, for the client you will have to disable other hashes above + * to use this. */ +/* #define DROPBEAR_NONE_INTEGRITY */ + /* Hostkey/public key algorithms - at least one required, these are used * for hostkey as well as for verifying signatures with pubkey auth. * Removing either of these won't save very much space. |