1/* Dropbear SSH 2 * Copyright (c) 2002,2003 Matt Johnston 3 * All rights reserved. See LICENSE for the license. */ 4 5#ifndef _OPTIONS_H_ 6#define _OPTIONS_H_ 7 8/****************************************************************** 9 * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" 10 * parts are to allow for commandline -DDROPBEAR_XXX options etc. 11 ******************************************************************/ 12 13#ifndef DROPBEAR_DEFPORT 14#define DROPBEAR_DEFPORT "22" 15#endif 16 17#ifndef DROPBEAR_DEFADDRESS 18/* Listen on all interfaces */ 19#define DROPBEAR_DEFADDRESS "" 20#endif 21 22/* Default hostkey paths - these can be specified on the command line */ 23#ifndef DSS_PRIV_FILENAME 24#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" 25#endif 26#ifndef RSA_PRIV_FILENAME 27#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" 28#endif 29 30/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens 31 * on chosen ports and keeps accepting connections. This is the default. 32 * 33 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or 34 * similar), where it will use stdin/stdout for connections, and each process 35 * lasts for a single connection. Dropbear should be invoked with the -i flag 36 * for inetd, and can only accept IPv4 connections. 37 * 38 * Both of these flags can be defined at once, don't compile without at least 39 * one of them. */ 40#define NON_INETD_MODE 41#define INETD_MODE 42 43/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 44 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 45 * if you want to use this) */ 46/*#define NO_FAST_EXPTMOD*/ 47 48/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 49several kB in binary size, however will make the symmetrical ciphers (AES, DES 50etc) slower (perhaps by 50%). Recommended for most small systems. */ 51#define DROPBEAR_SMALL_CODE 52 53/* Enable X11 Forwarding - server only */ 54#define ENABLE_X11FWD 55 56/* Enable TCP Fowarding */ 57/* 'Local' is "-L" style (client listening port forwarded via server) 58 * 'Remote' is "-R" style (server listening port forwarded via client) */ 59 60#define ENABLE_CLI_LOCALTCPFWD 61#define ENABLE_CLI_REMOTETCPFWD 62 63#define ENABLE_SVR_LOCALTCPFWD 64#define ENABLE_SVR_REMOTETCPFWD 65 66/* Enable Authentication Agent Forwarding - server only for now */ 67#define ENABLE_AGENTFWD 68 69/* Encryption - at least one required. 70 * RFC Draft requires 3DES and recommends AES128 for interoperability. 71 * Including multiple keysize variants the same cipher 72 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 73#define DROPBEAR_AES128_CBC 74#define DROPBEAR_3DES_CBC 75//#define DROPBEAR_AES256_CBC 76//#define DROPBEAR_BLOWFISH_CBC 77//#define DROPBEAR_TWOFISH256_CBC 78//#define DROPBEAR_TWOFISH128_CBC 79 80/* Message Integrity - at least one required. 81 * RFC Draft requires sha1 and recommends sha1-96. 82 * sha1-96 may be of use for slow links, as it has a smaller overhead. 83 * 84 * Note: there's no point disabling sha1 to save space, since it's used 85 * for the random number generator and public-key cryptography anyway. 86 * Disabling it here will just stop it from being used as the integrity portion 87 * of the ssh protocol. 88 * 89 * These hashes are also used for public key fingerprints in logs. 90 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, 91 * which are not the standard form. */ 92#define DROPBEAR_SHA1_HMAC 93#define DROPBEAR_SHA1_96_HMAC 94#define DROPBEAR_MD5_HMAC 95 96/* Hostkey/public key algorithms - at least one required, these are used 97 * for hostkey as well as for verifying signatures with pubkey auth. 98 * Removing either of these won't save very much space. 99 * SSH2 RFC Draft requires dss, recommends rsa */ 100#define DROPBEAR_RSA 101#define DROPBEAR_DSS 102 103/* RSA can be vulnerable to timing attacks which use the time required for 104 * signing to guess the private key. Blinding avoids this attack, though makes 105 * signing operations slightly slower. */ 106#define RSA_BLINDING 107 108/* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss, 109 * rather than just from the random byte source. Undefining this will save you 110 * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed 111 * if the random number source isn't good. In general this isn't required */ 112/* #define DSS_PROTOK */ 113 114/* Whether to do reverse DNS lookups. */ 115#define DO_HOST_LOOKUP 116 117/* Whether to print the message of the day (MOTD). This doesn't add much code 118 * size */ 119#define DO_MOTD 120 121/* The MOTD file path */ 122#ifndef MOTD_FILENAME 123#define MOTD_FILENAME "/etc/motd" 124#endif 125 126/* Authentication Types - at least one required. 127 RFC Draft requires pubkey auth, and recommends password */ 128 129/* Note: PAM auth is quite simple, and only works for PAM modules which just do 130 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 131 * It's useful for systems like OS X where standard password crypts don't work, 132 * but there's an interface via a PAM module - don't bother using it otherwise. 133 * You can't enable both PASSWORD and PAM. */ 134 135#define ENABLE_SVR_PASSWORD_AUTH 136/*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */ 137#define ENABLE_SVR_PUBKEY_AUTH 138 139#define ENABLE_CLI_PASSWORD_AUTH 140#define ENABLE_CLI_PUBKEY_AUTH 141#define ENABLE_CLI_INTERACT_AUTH 142 143/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of 144 * a helper program for the ssh client. The helper program should be 145 * specified in the SSH_ASKPASS environment variable, and dbclient 146 * should be run with DISPLAY set and no tty. The program should 147 * return the password on standard output */ 148/*#define ENABLE_CLI_ASKPASS_HELPER*/ 149 150/* Random device to use - define either DROPBEAR_RANDOM_DEV or 151 * DROPBEAR_PRNGD_SOCKET. 152 * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random, 153 * otherwise use run prngd (or egd if you want), specifying the socket. 154 * The device will be queried for a few dozen bytes of seed a couple of times 155 * per session (or more for very long-lived sessions). */ 156 157/* If you are lacking entropy on the system then using /dev/urandom 158 * will prevent Dropbear from blocking on the device. This could 159 * however significantly reduce the security of your ssh connections 160 * if the PRNG state becomes guessable - make sure you know what you are 161 * doing if you change this. */ 162#define DROPBEAR_RANDOM_DEV "/dev/random" 163 164/* prngd must be manually set up to produce output */ 165/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ 166 167/* Specify the number of clients we will allow to be connected but 168 * not yet authenticated. After this limit, connections are rejected */ 169/* The first setting is per-IP, to avoid denial of service */ 170#ifndef MAX_UNAUTH_PER_IP 171#define MAX_UNAUTH_PER_IP 5 172#endif 173 174/* And then a global limit to avoid chewing memory if connections 175 * come from many IPs */ 176#ifndef MAX_UNAUTH_CLIENTS 177#define MAX_UNAUTH_CLIENTS 30 178#endif 179 180/* Maximum number of failed authentication tries (server option) */ 181#ifndef MAX_AUTH_TRIES 182#define MAX_AUTH_TRIES 10 183#endif 184 185/* The default file to store the daemon's process ID, for shutdown 186 scripts etc. This can be overridden with the -P flag */ 187#ifndef DROPBEAR_PIDFILE 188#define DROPBEAR_PIDFILE "/var/run/dropbear.pid" 189#endif 190 191/* The command to invoke for xauth when using X11 forwarding. 192 * "-q" for quiet */ 193#ifndef XAUTH_COMMAND 194#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" 195#endif 196 197/* if you want to enable running an sftp server (such as the one included with 198 * OpenSSH), set the path below. If the path isn't defined, sftp will not 199 * be enabled */ 200#ifndef SFTPSERVER_PATH 201#define SFTPSERVER_PATH "/usr/libexec/sftp-server" 202#endif 203 204/* This is used by the scp binary when used as a client binary. If you're 205 * not using the Dropbear client, you'll need to change it */ 206#define _PATH_SSH_PROGRAM "/system/xbin/ssh" 207 208/* Whether to log commands executed by a client. This only logs the 209 * (single) command sent to the server, not what a user did in a 210 * shell/sftp session etc. */ 211/* #define LOG_COMMANDS */ 212 213/******************************************************************* 214 * You shouldn't edit below here unless you know you need to. 215 *******************************************************************/ 216 217#ifndef DROPBEAR_VERSION 218#define DROPBEAR_VERSION "0.49" 219#endif 220 221#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION 222#define PROGNAME "dropbear" 223 224/* Spec recommends after one hour or 1 gigabyte of data. One hour 225 * is a bit too verbose, so we try 8 hours */ 226#ifndef KEX_REKEY_TIMEOUT 227#define KEX_REKEY_TIMEOUT (3600 * 8) 228#endif 229#ifndef KEX_REKEY_DATA 230#define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */ 231#endif 232/* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ 233#ifndef AUTH_TIMEOUT 234#define AUTH_TIMEOUT 300 /* we choose 5 minutes */ 235#endif 236 237/* Minimum key sizes for DSS and RSA */ 238#ifndef MIN_DSS_KEYLEN 239#define MIN_DSS_KEYLEN 512 240#endif 241#ifndef MIN_RSA_KEYLEN 242#define MIN_RSA_KEYLEN 512 243#endif 244 245#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */ 246#define MAX_BANNER_LINES 20 /* How many lines the client will display */ 247 248/* the number of NAME=VALUE pairs to malloc for environ, if we don't have 249 * the clearenv() function */ 250#define ENV_SIZE 100 251 252#define MAX_CMD_LEN 1024 /* max length of a command */ 253#define MAX_TERM_LEN 200 /* max length of TERM name */ 254 255#define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */ 256#define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */ 257 258#define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified, 259 ipv4 and ipv6 don't count twice */ 260 261/* Each port might have at least a v4 and a v6 address */ 262#define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3) 263 264#define _PATH_TTY "/dev/tty" 265 266#define _PATH_CP "/bin/cp" 267 268/* Timeouts in seconds */ 269#define SELECT_TIMEOUT 20 270 271/* success/failure defines */ 272#define DROPBEAR_SUCCESS 0 273#define DROPBEAR_FAILURE -1 274 275/* various algorithm identifiers */ 276#define DROPBEAR_KEX_DH_GROUP1 0 277 278#define DROPBEAR_SIGNKEY_ANY 0 279#define DROPBEAR_SIGNKEY_RSA 1 280#define DROPBEAR_SIGNKEY_DSS 2 281#define DROPBEAR_SIGNKEY_NONE 3 282 283#define DROPBEAR_COMP_NONE 0 284#define DROPBEAR_COMP_ZLIB 1 285 286/* Required for pubkey auth */ 287#if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) 288#define DROPBEAR_SIGNKEY_VERIFY 289#endif 290 291/* SHA1 is 20 bytes == 160 bits */ 292#define SHA1_HASH_SIZE 20 293/* SHA512 is 64 bytes == 512 bits */ 294#define SHA512_HASH_SIZE 64 295/* MD5 is 16 bytes = 128 bits */ 296#define MD5_HASH_SIZE 16 297 298/* largest of MD5 and SHA1 */ 299#define MAX_MAC_LEN SHA1_HASH_SIZE 300 301 302#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ 303#define MAX_IV_LEN 20 /* must be same as max blocksize, 304 and >= SHA1_HASH_SIZE */ 305#define MAX_MAC_KEY 20 306 307#define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't 308 explicitly specified for all protocols (just 309 for algos) but seems valid */ 310 311#define MAX_PROPOSED_ALGO 20 312 313/* size/count limits */ 314 315#define MAX_PACKET_LEN 35000 316#define MIN_PACKET_LEN 16 317#define MAX_PAYLOAD_LEN 32768 318 319#define MAX_TRANS_PAYLOAD_LEN 32768 320#define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50) 321 322#define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */ 323#define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */ 324 325#define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also 326 is the max length for a password etc */ 327 328/* For a 4096 bit DSS key, empirically determined */ 329#define MAX_PUBKEY_SIZE 1700 330/* For a 4096 bit DSS key, empirically determined */ 331#define MAX_PRIVKEY_SIZE 1700 332 333/* The maximum size of the bignum portion of the kexhash buffer */ 334/* Sect. 8 of the transport draft, K_S + e + f + K */ 335#define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) 336 337#define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit 338 in a few years time.... */ 339 340#define DROPBEAR_MAX_CLI_PASS 1024 341 342#define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll 343 accept for keyb-interactive 344 auth */ 345 346#if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC) 347#define DROPBEAR_AES_CBC 348#endif 349 350#if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC) 351#define DROPBEAR_TWOFISH_CBC 352#endif 353 354#ifndef ENABLE_X11FWD 355#define DISABLE_X11FWD 356#endif 357 358#ifndef ENABLE_AGENTFWD 359#define DISABLE_AGENTFWD 360#endif 361 362#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) 363#define ENABLE_CLI_ANYTCPFWD 364#endif 365 366#if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD) 367#define DROPBEAR_TCP_ACCEPT 368#endif 369 370#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \ 371 defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \ 372 defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD) 373#define USING_LISTENERS 374#endif 375 376#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH) 377#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ 378#endif 379 380#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH) 381#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" 382#endif 383 384#if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET) 385#error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once" 386#endif 387 388#if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET) 389#error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h" 390#endif 391 392/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant 393 * code, if we're just compiling as client or server */ 394#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) 395 396#define IS_DROPBEAR_SERVER (ses.isserver == 1) 397#define IS_DROPBEAR_CLIENT (ses.isserver == 0) 398 399#elif defined(DROPBEAR_SERVER) 400 401#define IS_DROPBEAR_SERVER 1 402#define IS_DROPBEAR_CLIENT 0 403 404#elif defined(DROPBEAR_CLIENT) 405 406#define IS_DROPBEAR_SERVER 0 407#define IS_DROPBEAR_CLIENT 1 408 409#else 410#error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected 411#endif 412 413#endif /* _OPTIONS_H_ */ 414