diff options
Diffstat (limited to 'options.h')
-rw-r--r-- | options.h | 327 |
1 files changed, 327 insertions, 0 deletions
diff --git a/options.h b/options.h new file mode 100644 index 0000000..d1f1794 --- /dev/null +++ b/options.h @@ -0,0 +1,327 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#ifndef _OPTIONS_H_ +#define _OPTIONS_H_ + +/****************************************************************** + * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. + ******************************************************************/ +#define DROPBEAR_SERVER +/* #define DROPBEAR_CLIENT */ + +#ifndef DROPBEAR_PORT +#define DROPBEAR_PORT 22 +#endif + +/* Default hostkey paths - these can be specified on the command line */ +#ifndef DSS_PRIV_FILENAME +#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" +#endif +#ifndef RSA_PRIV_FILENAME +#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" +#endif + +/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting + * if you want to use this) */ +/*#define NO_FAST_EXPTMOD*/ + +/* Enable X11 Forwarding */ +#define ENABLE_X11FWD + +/* Enable TCP Fowarding */ +/* OpenSSH's "-L" style forwarding (client port forwarded via server) */ +#define ENABLE_LOCALTCPFWD +/* OpenSSH's "-R" style forwarding (server port forwarded via client) */ +#define ENABLE_REMOTETCPFWD + +/* Enable Authentication Agent Forwarding */ +#define ENABLE_AGENTFWD + +/* Encryption - at least one required. + * RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */ +#define DROPBEAR_AES128_CBC +#define DROPBEAR_BLOWFISH_CBC +#define DROPBEAR_TWOFISH128_CBC +#define DROPBEAR_3DES_CBC + +/* Integrity - at least one required. + * RFC Draft requires sha1-hmac, and recommends md5-hmac. + * + * Note: there's no point disabling sha1 to save space, since it's used in the + * for the random number generator and public-key cryptography anyway. + * Disabling it here will just stop it from being used as the integrity portion + * of the ssh protocol. + * + * These are also used for key fingerprints in logs (when pubkey auth is used), + * MD5 fingerprints are printed if available, however SHA1 fingerprints will be + * generated otherwise. This isn't exactly optimal, although SHA1 fingerprints + * are not too hard to create from pubkeys if required. */ +#define DROPBEAR_SHA1_HMAC +#define DROPBEAR_MD5_HMAC + +/* Hostkey/public key algorithms - at least one required, these are used + * for hostkey as well as for verifying signatures with pubkey auth. + * Removing either of these won't save very much space. + * SSH2 RFC Draft requires dss, recommends rsa */ +#define DROPBEAR_RSA +#define DROPBEAR_DSS + +/* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss, + * rather than just from the random byte source. Undefining this will save you + * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed + * if the random number source isn't good. In general this isn't required */ +/* #define DSS_PROTOK */ + +/* Whether to do reverse DNS lookups. This is advisable, though will add + * code size with gethostbyname() etc, so for very small environments where + * you are statically linking, you might want to undefine this */ +#define DO_HOST_LOOKUP + +/* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +#define DO_MOTD + +/* The MOTD file path */ +#ifndef MOTD_FILENAME +#define MOTD_FILENAME "/etc/motd" +#endif + +/* Authentication types to enable, at least one required. + RFC Draft requires pubkey auth, and recommends password */ +#define DROPBEAR_PASSWORD_AUTH +#define DROPBEAR_PUBKEY_AUTH + +/* Random device to use - you must specify _one only_. + * DEV_RANDOM is recommended on hosts with a good /dev/urandom, otherwise use + * PRNGD and run prngd, specifying the socket. This device must be able to + * produce a large amount of random data, so using /dev/random or Entropy + * Gathering Daemon (egd) may result in halting, as it waits for more random + * data */ +#define DROPBEAR_DEV_URANDOM /* use /dev/urandom */ + +/*#undef DROPBEAR_PRNGD */ /* use prngd socket - you must manually set up prngd + to produce output */ +#ifndef DROPBEAR_PRNGD_SOCKET +#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" +#endif + +/* Specify the number of clients we will allow to be connected but + * not yet authenticated. After this limit, connections are rejected */ +#ifndef MAX_UNAUTH_CLIENTS +#define MAX_UNAUTH_CLIENTS 30 +#endif + +/* Maximum number of failed authentication tries */ +#ifndef MAX_AUTH_TRIES +#define MAX_AUTH_TRIES 10 +#endif + +/* The file to store the daemon's process ID, for shutdown scripts etc */ +#ifndef DROPBEAR_PIDFILE +#define DROPBEAR_PIDFILE "/var/run/dropbear.pid" +#endif + +/* The command to invoke for xauth when using X11 forwarding. + * "-q" for quiet */ +#ifndef XAUTH_COMMAND +#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" +#endif + +/* if you want to enable running an sftp server (such as the one included with + * OpenSSH), set the path below. If the path isn't defined, sftp will not + * be enabled */ +#ifndef SFTPSERVER_PATH +#define SFTPSERVER_PATH "/usr/libexec/sftp-server" +#endif + +/* This is used by the scp binary when used as a client binary */ +#define _PATH_SSH_PROGRAM "/usr/bin/ssh" + +/* Multi-purpose binary configuration - if you want to make the combined + * binary, first define DROPBEAR_MULTI, and then define which of the three + * components you want. You should then compile Dropbear with + * "make clean; make dropbearmulti". You'll need to install the binary + * manually, see MULTI for details */ + +/* #define DROPBEAR_MULTI */ + +/* The three multi binaries: dropbear, dropbearkey, dropbearconvert + * Comment out these if you don't want some of them */ +#define DBMULTI_DROPBEAR +#define DBMULTI_KEY +#define DBMULTI_CONVERT + + +/******************************************************************* + * You shouldn't edit below here unless you know you need to. + *******************************************************************/ + +#ifndef DROPBEAR_VERSION +#define DROPBEAR_VERSION "0.41" +#endif + +#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION +#define PROGNAME "dropbear" + +/* Spec recommends after one hour or 1 gigabyte of data. One hour + * is a bit too verbose, so we try 8 hours */ +#ifndef KEX_REKEY_TIMEOUT +#define KEX_REKEY_TIMEOUT (3600 * 8) +#endif +#ifndef KEX_REKEY_DATA +#define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */ +#endif +/* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ +#ifndef AUTH_TIMEOUT +#define AUTH_TIMEOUT 300 /* we choose 5 minutes */ +#endif + +/* Minimum key sizes for DSS and RSA */ +#ifndef MIN_DSS_KEYLEN +#define MIN_DSS_KEYLEN 512 +#endif +#ifndef MIN_RSA_KEYLEN +#define MIN_RSA_KEYLEN 512 +#endif + +#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */ + +#define DEV_URANDOM "/dev/urandom" + +/* the number of NAME=VALUE pairs to malloc for environ, if we don't have + * the clearenv() function */ +#define ENV_SIZE 100 + +#define MAX_CMD_LEN 1024 /* max length of a command */ +#define MAX_TERM_LEN 200 /* max length of TERM name */ + +#define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */ +#define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */ + +#define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified, + ipv4 and ipv6 don't count twice */ + +#define _PATH_TTY "/dev/tty" + +/* Timeouts in seconds */ +#define SELECT_TIMEOUT 20 + +/* success/failure defines */ +#define DROPBEAR_SUCCESS 0 +#define DROPBEAR_FAILURE -1 + +/* various algorithm identifiers */ +#define DROPBEAR_KEX_DH_GROUP1 0 + +#define DROPBEAR_SIGNKEY_ANY 0 +#define DROPBEAR_SIGNKEY_RSA 1 +#define DROPBEAR_SIGNKEY_DSS 2 + +#define DROPBEAR_COMP_NONE 0 +#define DROPBEAR_COMP_ZLIB 1 + +/* Required for pubkey auth */ +#ifdef DROPBEAR_PUBKEY_AUTH +#define DROPBEAR_SIGNKEY_VERIFY +#endif + +/* SHA1 is 20 bytes == 160 bits */ +#define SHA1_HASH_SIZE 20 +/* SHA512 is 64 bytes == 512 bits */ +#define SHA512_HASH_SIZE 64 +/* MD5 is 16 bytes = 128 bits */ +#define MD5_HASH_SIZE 16 + +/* largest of MD5 and SHA1 */ +#define MAX_MAC_LEN SHA1_HASH_SIZE + + +#define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */ +#define MAX_IV_LEN 20 /* must be same as max blocksize, + and >= SHA1_HASH_SIZE */ +#define MAX_MAC_KEY 20 + +#define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't + explicitly specified for all protocols (just + for algos) but seems valid */ + +#define MAX_PROPOSED_ALGO 20 + +/* size/count limits */ +#define MAX_LISTEN_ADDR 10 + +#define MAX_PACKET_LEN 35000 +#define MIN_PACKET_LEN 16 +#define MAX_PAYLOAD_LEN 32768 + +#define MAX_TRANS_PAYLOAD_LEN 32768 +#define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50) + +#define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */ +#define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */ + +#define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also + is the max length for a password etc */ + +#ifndef ENABLE_X11FWD +#define DISABLE_X11FWD +#endif + +#ifndef ENABLE_AGENTFWD +#define DISABLE_AGENTFWD +#endif + +#ifndef ENABLE_LOCALTCPFWD +#define DISABLE_LOCALTCPFWD +#endif + +#ifndef ENABLE_REMOTETCPFWD +#define DISABLE_REMOTETCPFWD +#endif + +/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant + * code, if we're just compiling as client or server */ +#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) + +#define IS_DROPBEAR_SERVER (ses.isserver == 1) +#define IS_DROPBEAR_CLIENT (ses.isserver == 0) + +#elif defined(DROPBEAR_SERVER) + +#define IS_DROPBEAR_SERVER 1 +#define IS_DROPBEAR_CLIENT 0 + +#elif defined(DROPBEAR_CLIENT) + +#define IS_DROPBEAR_SERVER 0 +#define IS_DROPBEAR_CLIENT 1 + +#else +#error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected +#endif + +#endif /* _OPTIONS_H_ */ |