Home | History | Annotate | Download | only in dropbear
      1 /* Dropbear SSH
      2  * Copyright (c) 2002,2003 Matt Johnston
      3  * All rights reserved. See LICENSE for the license. */
      4 
      5 #ifndef _OPTIONS_H_
      6 #define _OPTIONS_H_
      7 
      8 /******************************************************************
      9  * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
     10  * parts are to allow for commandline -DDROPBEAR_XXX options etc.
     11  ******************************************************************/
     12 
     13 #ifndef DROPBEAR_DEFPORT
     14 #define DROPBEAR_DEFPORT "22"
     15 #endif
     16 
     17 #ifndef DROPBEAR_DEFADDRESS
     18 /* Listen on all interfaces */
     19 #define DROPBEAR_DEFADDRESS ""
     20 #endif
     21 
     22 /* Default hostkey paths - these can be specified on the command line */
     23 #ifndef DSS_PRIV_FILENAME
     24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
     25 #endif
     26 #ifndef RSA_PRIV_FILENAME
     27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
     28 #endif
     29 
     30 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
     31  * on chosen ports and keeps accepting connections. This is the default.
     32  *
     33  * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
     34  * similar), where it will use stdin/stdout for connections, and each process
     35  * lasts for a single connection. Dropbear should be invoked with the -i flag
     36  * for inetd, and can only accept IPv4 connections.
     37  *
     38  * Both of these flags can be defined at once, don't compile without at least
     39  * one of them. */
     40 #define NON_INETD_MODE
     41 #define INETD_MODE
     42 
     43 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
     44  * perhaps 20% slower for pubkey operations (it is probably worth experimenting
     45  * if you want to use this) */
     46 /*#define NO_FAST_EXPTMOD*/
     47 
     48 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
     49 several kB in binary size, however will make the symmetrical ciphers (AES, DES
     50 etc) slower (perhaps by 50%). Recommended for most small systems. */
     51 #define DROPBEAR_SMALL_CODE
     52 
     53 /* Enable X11 Forwarding - server only */
     54 #define ENABLE_X11FWD
     55 
     56 /* Enable TCP Fowarding */
     57 /* 'Local' is "-L" style (client listening port forwarded via server)
     58  * 'Remote' is "-R" style (server listening port forwarded via client) */
     59 
     60 #define ENABLE_CLI_LOCALTCPFWD
     61 #define ENABLE_CLI_REMOTETCPFWD
     62 
     63 #define ENABLE_SVR_LOCALTCPFWD
     64 #define ENABLE_SVR_REMOTETCPFWD
     65 
     66 /* Enable Authentication Agent Forwarding - server only for now */
     67 #define ENABLE_AGENTFWD
     68 
     69 /* Encryption - at least one required.
     70  * RFC Draft requires 3DES and recommends AES128 for interoperability.
     71  * Including multiple keysize variants the same cipher
     72  * (eg AES256 as well as AES128) will result in a minimal size increase.*/
     73 #define DROPBEAR_AES128_CBC
     74 #define DROPBEAR_3DES_CBC
     75 //#define DROPBEAR_AES256_CBC
     76 //#define DROPBEAR_BLOWFISH_CBC
     77 //#define DROPBEAR_TWOFISH256_CBC
     78 //#define DROPBEAR_TWOFISH128_CBC
     79 
     80 /* Message Integrity - at least one required.
     81  * RFC Draft requires sha1 and recommends sha1-96.
     82  * sha1-96 may be of use for slow links, as it has a smaller overhead.
     83  *
     84  * Note: there's no point disabling sha1 to save space, since it's used
     85  * for the random number generator and public-key cryptography anyway.
     86  * Disabling it here will just stop it from being used as the integrity portion
     87  * of the ssh protocol.
     88  *
     89  * These hashes are also used for public key fingerprints in logs.
     90  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
     91  * which are not the standard form. */
     92 #define DROPBEAR_SHA1_HMAC
     93 #define DROPBEAR_SHA1_96_HMAC
     94 #define DROPBEAR_MD5_HMAC
     95 
     96 /* Hostkey/public key algorithms - at least one required, these are used
     97  * for hostkey as well as for verifying signatures with pubkey auth.
     98  * Removing either of these won't save very much space.
     99  * SSH2 RFC Draft requires dss, recommends rsa */
    100 #define DROPBEAR_RSA
    101 #define DROPBEAR_DSS
    102 
    103 /* RSA can be vulnerable to timing attacks which use the time required for
    104  * signing to guess the private key. Blinding avoids this attack, though makes
    105  * signing operations slightly slower. */
    106 #define RSA_BLINDING
    107 
    108 /* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
    109  * rather than just from the random byte source. Undefining this will save you
    110  * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
    111  * if the random number source isn't good. In general this isn't required */
    112 /* #define DSS_PROTOK */
    113 
    114 /* Whether to do reverse DNS lookups. */
    115 #define DO_HOST_LOOKUP
    116 
    117 /* Whether to print the message of the day (MOTD). This doesn't add much code
    118  * size */
    119 #define DO_MOTD
    120 
    121 /* The MOTD file path */
    122 #ifndef MOTD_FILENAME
    123 #define MOTD_FILENAME "/etc/motd"
    124 #endif
    125 
    126 /* Authentication Types - at least one required.
    127    RFC Draft requires pubkey auth, and recommends password */
    128 
    129 /* Note: PAM auth is quite simple, and only works for PAM modules which just do
    130  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
    131  * It's useful for systems like OS X where standard password crypts don't work,
    132  * but there's an interface via a PAM module - don't bother using it otherwise.
    133  * You can't enable both PASSWORD and PAM. */
    134 
    135 #define ENABLE_SVR_PASSWORD_AUTH
    136 /*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
    137 #define ENABLE_SVR_PUBKEY_AUTH
    138 
    139 #define ENABLE_CLI_PASSWORD_AUTH
    140 #define ENABLE_CLI_PUBKEY_AUTH
    141 #define ENABLE_CLI_INTERACT_AUTH
    142 
    143 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
    144  * a helper program for the ssh client. The helper program should be
    145  * specified in the SSH_ASKPASS environment variable, and dbclient
    146  * should be run with DISPLAY set and no tty. The program should
    147  * return the password on standard output */
    148 /*#define ENABLE_CLI_ASKPASS_HELPER*/
    149 
    150 /* Random device to use - define either DROPBEAR_RANDOM_DEV or
    151  * DROPBEAR_PRNGD_SOCKET.
    152  * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random,
    153  * otherwise use run prngd (or egd if you want), specifying the socket.
    154  * The device will be queried for a few dozen bytes of seed a couple of times
    155  * per session (or more for very long-lived sessions). */
    156 
    157 /* If you are lacking entropy on the system then using /dev/urandom
    158  * will prevent Dropbear from blocking on the device. This could
    159  * however significantly reduce the security of your ssh connections
    160  * if the PRNG state becomes guessable - make sure you know what you are
    161  * doing if you change this. */
    162 #define DROPBEAR_RANDOM_DEV "/dev/random"
    163 
    164 /* prngd must be manually set up to produce output */
    165 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
    166 
    167 /* Specify the number of clients we will allow to be connected but
    168  * not yet authenticated. After this limit, connections are rejected */
    169 /* The first setting is per-IP, to avoid denial of service */
    170 #ifndef MAX_UNAUTH_PER_IP
    171 #define MAX_UNAUTH_PER_IP 5
    172 #endif
    173 
    174 /* And then a global limit to avoid chewing memory if connections
    175  * come from many IPs */
    176 #ifndef MAX_UNAUTH_CLIENTS
    177 #define MAX_UNAUTH_CLIENTS 30
    178 #endif
    179 
    180 /* Maximum number of failed authentication tries (server option) */
    181 #ifndef MAX_AUTH_TRIES
    182 #define MAX_AUTH_TRIES 10
    183 #endif
    184 
    185 /* The default file to store the daemon's process ID, for shutdown
    186    scripts etc. This can be overridden with the -P flag */
    187 #ifndef DROPBEAR_PIDFILE
    188 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
    189 #endif
    190 
    191 /* The command to invoke for xauth when using X11 forwarding.
    192  * "-q" for quiet */
    193 #ifndef XAUTH_COMMAND
    194 #define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q"
    195 #endif
    196 
    197 /* if you want to enable running an sftp server (such as the one included with
    198  * OpenSSH), set the path below. If the path isn't defined, sftp will not
    199  * be enabled */
    200 #ifndef SFTPSERVER_PATH
    201 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
    202 #endif
    203 
    204 /* This is used by the scp binary when used as a client binary. If you're
    205  * not using the Dropbear client, you'll need to change it */
    206 #define _PATH_SSH_PROGRAM "/system/xbin/ssh"
    207 
    208 /* Whether to log commands executed by a client. This only logs the
    209  * (single) command sent to the server, not what a user did in a
    210  * shell/sftp session etc. */
    211 /* #define LOG_COMMANDS */
    212 
    213 /*******************************************************************
    214  * You shouldn't edit below here unless you know you need to.
    215  *******************************************************************/
    216 
    217 #ifndef DROPBEAR_VERSION
    218 #define DROPBEAR_VERSION "0.49"
    219 #endif
    220 
    221 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
    222 #define PROGNAME "dropbear"
    223 
    224 /* Spec recommends after one hour or 1 gigabyte of data. One hour
    225  * is a bit too verbose, so we try 8 hours */
    226 #ifndef KEX_REKEY_TIMEOUT
    227 #define KEX_REKEY_TIMEOUT (3600 * 8)
    228 #endif
    229 #ifndef KEX_REKEY_DATA
    230 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
    231 #endif
    232 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
    233 #ifndef AUTH_TIMEOUT
    234 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
    235 #endif
    236 
    237 /* Minimum key sizes for DSS and RSA */
    238 #ifndef MIN_DSS_KEYLEN
    239 #define MIN_DSS_KEYLEN 512
    240 #endif
    241 #ifndef MIN_RSA_KEYLEN
    242 #define MIN_RSA_KEYLEN 512
    243 #endif
    244 
    245 #define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
    246 #define MAX_BANNER_LINES 20 /* How many lines the client will display */
    247 
    248 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have
    249  * the clearenv() function */
    250 #define ENV_SIZE 100
    251 
    252 #define MAX_CMD_LEN 1024 /* max length of a command */
    253 #define MAX_TERM_LEN 200 /* max length of TERM name */
    254 
    255 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
    256 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
    257 
    258 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
    259 								 ipv4 and ipv6 don't count twice */
    260 
    261 /* Each port might have at least a v4 and a v6 address */
    262 #define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3)
    263 
    264 #define _PATH_TTY "/dev/tty"
    265 
    266 #define _PATH_CP "/bin/cp"
    267 
    268 /* Timeouts in seconds */
    269 #define SELECT_TIMEOUT 20
    270 
    271 /* success/failure defines */
    272 #define DROPBEAR_SUCCESS 0
    273 #define DROPBEAR_FAILURE -1
    274 
    275 /* various algorithm identifiers */
    276 #define DROPBEAR_KEX_DH_GROUP1 0
    277 
    278 #define DROPBEAR_SIGNKEY_ANY 0
    279 #define DROPBEAR_SIGNKEY_RSA 1
    280 #define DROPBEAR_SIGNKEY_DSS 2
    281 #define DROPBEAR_SIGNKEY_NONE 3
    282 
    283 #define DROPBEAR_COMP_NONE 0
    284 #define DROPBEAR_COMP_ZLIB 1
    285 
    286 /* Required for pubkey auth */
    287 #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
    288 #define DROPBEAR_SIGNKEY_VERIFY
    289 #endif
    290 
    291 /* SHA1 is 20 bytes == 160 bits */
    292 #define SHA1_HASH_SIZE 20
    293 /* SHA512 is 64 bytes == 512 bits */
    294 #define SHA512_HASH_SIZE 64
    295 /* MD5 is 16 bytes = 128 bits */
    296 #define MD5_HASH_SIZE 16
    297 
    298 /* largest of MD5 and SHA1 */
    299 #define MAX_MAC_LEN SHA1_HASH_SIZE
    300 
    301 
    302 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
    303 #define MAX_IV_LEN 20 /* must be same as max blocksize,
    304 						 and >= SHA1_HASH_SIZE */
    305 #define MAX_MAC_KEY 20
    306 
    307 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
    308 						   explicitly specified for all protocols (just
    309 						   for algos) but seems valid */
    310 
    311 #define MAX_PROPOSED_ALGO 20
    312 
    313 /* size/count limits */
    314 
    315 #define MAX_PACKET_LEN 35000
    316 #define MIN_PACKET_LEN 16
    317 #define MAX_PAYLOAD_LEN 32768
    318 
    319 #define MAX_TRANS_PAYLOAD_LEN 32768
    320 #define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50)
    321 
    322 #define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
    323 #define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */
    324 
    325 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
    326 							   is the max length for a password etc */
    327 
    328 /* For a 4096 bit DSS key, empirically determined */
    329 #define MAX_PUBKEY_SIZE 1700
    330 /* For a 4096 bit DSS key, empirically determined */
    331 #define MAX_PRIVKEY_SIZE 1700
    332 
    333 /* The maximum size of the bignum portion of the kexhash buffer */
    334 /* Sect. 8 of the transport draft, K_S + e + f + K */
    335 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
    336 
    337 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
    338 								in a few years time.... */
    339 
    340 #define DROPBEAR_MAX_CLI_PASS 1024
    341 
    342 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
    343 												accept for keyb-interactive
    344 												auth */
    345 
    346 #if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC)
    347 #define DROPBEAR_AES_CBC
    348 #endif
    349 
    350 #if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC)
    351 #define DROPBEAR_TWOFISH_CBC
    352 #endif
    353 
    354 #ifndef ENABLE_X11FWD
    355 #define DISABLE_X11FWD
    356 #endif
    357 
    358 #ifndef ENABLE_AGENTFWD
    359 #define DISABLE_AGENTFWD
    360 #endif
    361 
    362 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
    363 #define ENABLE_CLI_ANYTCPFWD
    364 #endif
    365 
    366 #if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
    367 #define DROPBEAR_TCP_ACCEPT
    368 #endif
    369 
    370 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
    371 	defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
    372 	defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD)
    373 #define USING_LISTENERS
    374 #endif
    375 
    376 #if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
    377 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
    378 #endif
    379 
    380 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
    381 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
    382 #endif
    383 
    384 #if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET)
    385 #error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once"
    386 #endif
    387 
    388 #if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET)
    389 #error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h"
    390 #endif
    391 
    392 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
    393  * code, if we're just compiling as client or server */
    394 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
    395 
    396 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
    397 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
    398 
    399 #elif defined(DROPBEAR_SERVER)
    400 
    401 #define IS_DROPBEAR_SERVER 1
    402 #define IS_DROPBEAR_CLIENT 0
    403 
    404 #elif defined(DROPBEAR_CLIENT)
    405 
    406 #define IS_DROPBEAR_SERVER 0
    407 #define IS_DROPBEAR_CLIENT 1
    408 
    409 #else
    410 #error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected
    411 #endif
    412 
    413 #endif /* _OPTIONS_H_ */
    414