1 #ifndef DROPBEAR_DEFAULT_OPTIONS_H_
2 #define DROPBEAR_DEFAULT_OPTIONS_H_
3 /*
4                      > > > Read This < < <
5 
6 default_options.h  documents compile-time options, and provides default values.
7 
8 Local customisation should be added to localoptions.h which is
9 used if it exists in the build directory. Options defined there will override
10 any options in this file.
11 
12 Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS
13 
14 IMPORTANT: Some options will require "make clean" after changes */
15 
16 #define DROPBEAR_DEFPORT "22"
17 
18 /* Listen on all interfaces */
19 #define DROPBEAR_DEFADDRESS ""
20 
21 /* Default hostkey paths - these can be specified on the command line */
22 #define DSS_PRIV_FILENAME "/usr/local/etc/dropbear/dropbear_dss_host_key"
23 #define RSA_PRIV_FILENAME "/usr/local/etc/dropbear/dropbear_rsa_host_key"
24 #define ECDSA_PRIV_FILENAME "/usr/local/etc/dropbear/dropbear_ecdsa_host_key"
25 #define ED25519_PRIV_FILENAME "/usr/local/etc/dropbear/dropbear_ed25519_host_key"
26 
27 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
28  * on chosen ports and keeps accepting connections. This is the default.
29  *
30  * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
31  * similar), where it will use stdin/stdout for connections, and each process
32  * lasts for a single connection. Dropbear should be invoked with the -i flag
33  * for inetd, and can only accept IPv4 connections.
34  *
35  * Both of these flags can be defined at once, don't compile without at least
36  * one of them. */
37 #define NON_INETD_MODE 1
38 #define INETD_MODE 1
39 
40 /* Include verbose debug output, enabled with -v at runtime.
41  * This will add a reasonable amount to your executable size. */
42 #define DEBUG_TRACE 0
43 
44 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
45  * several kB in binary size however will make the symmetrical ciphers and hashes
46  * slower, perhaps by 50%. Recommended for small systems that aren't doing
47  * much traffic. */
48 #define DROPBEAR_SMALL_CODE 1
49 
50 /* Enable X11 Forwarding - server only */
51 #define DROPBEAR_X11FWD 0
52 
53 /* Enable TCP Fowarding */
54 /* 'Local' is "-L" style (client listening port forwarded via server)
55  * 'Remote' is "-R" style (server listening port forwarded via client) */
56 #define DROPBEAR_CLI_LOCALTCPFWD 1
57 #define DROPBEAR_CLI_REMOTETCPFWD 1
58 
59 #define DROPBEAR_SVR_LOCALTCPFWD 1
60 #define DROPBEAR_SVR_REMOTETCPFWD 1
61 
62 /* Enable Authentication Agent Forwarding */
63 #define DROPBEAR_SVR_AGENTFWD 1
64 #define DROPBEAR_CLI_AGENTFWD 1
65 
66 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
67  * allow multihop dbclient connections */
68 
69 /* Allow using -J <proxycommand> to run the connection through a
70    pipe to a program, rather the normal TCP connection */
71 #define DROPBEAR_CLI_PROXYCMD 1
72 
73 /* Enable "Netcat mode" option. This will forward standard input/output
74  * to a remote TCP-forwarded connection */
75 #define DROPBEAR_CLI_NETCAT 1
76 
77 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
78 #define DROPBEAR_USER_ALGO_LIST 1
79 
80 /* Encryption - at least one required.
81  * AES128 should be enabled, some very old implementations might only
82  * support 3DES.
83  * Including both AES keysize variants (128 and 256) will result in
84  * a minimal size increase */
85 #define DROPBEAR_AES128 1
86 #define DROPBEAR_AES256 1
87 #define DROPBEAR_3DES 0
88 #define DROPBEAR_TWOFISH256 0
89 #define DROPBEAR_TWOFISH128 0
90 
91 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is
92  * generally faster than AES256 on CPU w/o dedicated AES instructions,
93  * having the same key size. Recommended.
94  * Compiling in will add ~5,5kB to binary size on x86-64 */
95 #define DROPBEAR_CHACHA20POLY1305 1
96 
97 /* Enable "Counter Mode" for ciphers. Recommended. */
98 #define DROPBEAR_ENABLE_CTR_MODE 1
99 
100 /* Enable CBC mode for ciphers. This has security issues though
101    may be required for compatibility with old implementations */
102 #define DROPBEAR_ENABLE_CBC_MODE 0
103 
104 /* Enable "Galois/Counter Mode" for ciphers. This authenticated
105  * encryption mode is combination of CTR mode and GHASH. Recommended
106  * for security and forwards compatibility, but slower than CTR on
107  * CPU w/o dedicated AES/GHASH instructions.
108  * Compiling in will add ~6kB to binary size on x86-64 */
109 #define DROPBEAR_ENABLE_GCM_MODE 0
110 
111 /* Message integrity. sha2-256 is recommended as a default,
112    sha1 for compatibility */
113 #define DROPBEAR_SHA1_HMAC 1
114 #define DROPBEAR_SHA2_256_HMAC 1
115 #define DROPBEAR_SHA1_96_HMAC 0
116 
117 /* Hostkey/public key algorithms - at least one required, these are used
118  * for hostkey as well as for verifying signatures with pubkey auth.
119  * Removing either of these won't save very much space.
120  * RSA is recommended
121  * DSS may be necessary to connect to some systems though
122    is not recommended for new keys */
123 #define DROPBEAR_RSA 1
124 #define DROPBEAR_DSS 1
125 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
126  * code (either ECDSA or ECDH) increases binary size - around 30kB
127  * on x86-64 */
128 #define DROPBEAR_ECDSA 1
129 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
130    binary size - around 7,5kB on x86-64 */
131 #define DROPBEAR_ED25519 1
132 
133 /* RSA must be >=1024 */
134 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
135 /* DSS is always 1024 */
136 /* ECDSA defaults to largest size configured, usually 521 */
137 /* Ed25519 is always 256 */
138 
139 /* Add runtime flag "-R" to generate hostkeys as-needed when the first
140    connection using that key type occurs.
141    This avoids the need to otherwise run "dropbearkey" and avoids some problems
142    with badly seeded /dev/urandom when systems first boot. */
143 #define DROPBEAR_DELAY_HOSTKEY 1
144 
145 
146 /* Key exchange algorithm.
147 
148  * group14_sha1 - 2048 bit, sha1
149  * group14_sha256 - 2048 bit, sha2-256
150  * group16 - 4096 bit, sha2-512
151  * group1 - 1024 bit, sha1
152  * curve25519 - elliptic curve DH
153  * ecdh - NIST elliptic curve DH (256, 384, 521)
154  *
155  * group1 is too small for security though is necessary if you need
156      compatibility with some implementations such as Dropbear versions < 0.53
157  * group14 is supported by most implementations.
158  * group16 provides a greater strength level but is slower and increases binary size
159  * curve25519 and ecdh algorithms are faster than non-elliptic curve methods
160  * curve25519 increases binary size by ~2,5kB on x86-64
161  * including either ECDH or ECDSA increases binary size by ~30kB on x86-64
162 
163  * Small systems should generally include either curve25519 or ecdh for performance.
164  * curve25519 is less widely supported but is faster
165  */
166 #define DROPBEAR_DH_GROUP14_SHA1 1
167 #define DROPBEAR_DH_GROUP14_SHA256 1
168 #define DROPBEAR_DH_GROUP16 0
169 #define DROPBEAR_CURVE25519 1
170 #define DROPBEAR_ECDH 1
171 #define DROPBEAR_DH_GROUP1 1
172 
173 /* When group1 is enabled it will only be allowed by Dropbear client
174 not as a server, due to concerns over its strength. Set to 0 to allow
175 group1 in Dropbear server too */
176 #define DROPBEAR_DH_GROUP1_CLIENTONLY 1
177 
178 /* Control the memory/performance/compression tradeoff for zlib.
179  * Set windowBits=8 for least memory usage, see your system's
180  * zlib.h for full details.
181  * Default settings (windowBits=15) will use 256kB for compression
182  * windowBits=8 will use 129kB for compression.
183  * Both modes will use ~35kB for decompression (using windowBits=15 for
184  * interoperability) */
185 #define DROPBEAR_ZLIB_WINDOW_BITS 15
186 
187 /* Whether to do reverse DNS lookups. */
188 #define DO_HOST_LOOKUP 0
189 
190 /* Whether to print the message of the day (MOTD). */
191 #define DO_MOTD 1
192 #define MOTD_FILENAME "/etc/motd"
193 
194 /* Authentication Types - at least one required.
195    RFC Draft requires pubkey auth, and recommends password */
196 #define DROPBEAR_SVR_PASSWORD_AUTH 1
197 
198 /* Note: PAM auth is quite simple and only works for PAM modules which just do
199  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
200  * It's useful for systems like OS X where standard password crypts don't work
201  * but there's an interface via a PAM module. It won't work for more complex
202  * PAM challenge/response.
203  * You can't enable both PASSWORD and PAM. */
204 #define DROPBEAR_SVR_PAM_AUTH 0
205 
206 /* ~/.ssh/authorized_keys authentication */
207 #define DROPBEAR_SVR_PUBKEY_AUTH 1
208 
209 /* Whether to take public key options in
210  * authorized_keys file into account */
211 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
212 
213 /* Set this to 0 if your system does not have multiple user support.
214    (Linux kernel CONFIG_MULTIUSER option)
215    The resulting binary will not run on a normal system. */
216 #define DROPBEAR_SVR_MULTIUSER 1
217 
218 /* Client authentication options */
219 #define DROPBEAR_CLI_PASSWORD_AUTH 1
220 #define DROPBEAR_CLI_PUBKEY_AUTH 1
221 
222 /* A default argument for dbclient -i <privatekey>.
223 Homedir is prepended unless path begins with / */
224 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
225 
226 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
227  * environment variable. */
228 #define DROPBEAR_USE_PASSWORD_ENV 1
229 
230 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
231  * a helper program for the ssh client. The helper program should be
232  * specified in the SSH_ASKPASS environment variable, and dbclient
233  * should be run with DISPLAY set and no tty. The program should
234  * return the password on standard output */
235 #define DROPBEAR_CLI_ASKPASS_HELPER 0
236 
237 /* Save a network roundtrip by sendng a real auth request immediately after
238  * sending a query for the available methods. This is not yet enabled by default
239  since it could cause problems with non-compliant servers */
240 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
241 
242 /* Set this to use PRNGD or EGD instead of /dev/urandom */
243 #define DROPBEAR_USE_PRNGD 0
244 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
245 
246 /* Specify the number of clients we will allow to be connected but
247  * not yet authenticated. After this limit, connections are rejected */
248 /* The first setting is per-IP, to avoid denial of service */
249 #define MAX_UNAUTH_PER_IP 5
250 
251 /* And then a global limit to avoid chewing memory if connections
252  * come from many IPs */
253 #define MAX_UNAUTH_CLIENTS 30
254 
255 /* Default maximum number of failed authentication tries (server option) */
256 /* -T server option overrides */
257 #define MAX_AUTH_TRIES 10
258 
259 /* The default file to store the daemon's process ID, for shutdown
260    scripts etc. This can be overridden with the -P flag */
261 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
262 
263 /* The command to invoke for xauth when using X11 forwarding.
264  * "-q" for quiet */
265 #define XAUTH_COMMAND "/usr/bin/xauth -q"
266 
267 
268 /* if you want to enable running an sftp server (such as the one included with
269  * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
270  * The sftp-server program is not provided by Dropbear itself */
271 #define DROPBEAR_SFTPSERVER 1
272 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
273 
274 /* This is used by the scp binary when used as a client binary. If you're
275  * not using the Dropbear client, you'll need to change it */
276 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
277 
278 /* Whether to log commands executed by a client. This only logs the
279  * (single) command sent to the server, not what a user did in a
280  * shell/sftp session etc. */
281 #define LOG_COMMANDS 0
282 
283 /* Window size limits. These tend to be a trade-off between memory
284    usage and network performance: */
285 /* Size of the network receive window. This amount of memory is allocated
286    as a per-channel receive buffer. Increasing this value can make a
287    significant difference to network performance. 24kB was empirically
288    chosen for a 100mbit ethernet network. The value can be altered at
289    runtime with the -W argument. */
290 #define DEFAULT_RECV_WINDOW 24576
291 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
292    in order to interoperate with other implementations */
293 #define RECV_MAX_PAYLOAD_LEN 32768
294 /* Maximum size of a transmitted data packet - this can be any value,
295    though increasing it may not make a significant difference. */
296 #define TRANS_MAX_PAYLOAD_LEN 16384
297 
298 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
299 be overridden at runtime with -K. 0 disables keepalives */
300 #define DEFAULT_KEEPALIVE 0
301 
302 /* If this many KEEPALIVES are sent with no packets received from the
303 other side, exit. Not run-time configurable - if you have a need
304 for runtime configuration please mail the Dropbear list */
305 #define DEFAULT_KEEPALIVE_LIMIT 3
306 
307 /* Ensure that data is received within IDLE_TIMEOUT seconds. This can
308 be overridden at runtime with -I. 0 disables idle timeouts */
309 #define DEFAULT_IDLE_TIMEOUT 0
310 
311 /* The default path. This will often get replaced by the shell */
312 #define DEFAULT_PATH "/usr/bin:/bin"
313 
314 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
315