dropbear: minor config clarification

- "default n" is not needed: options are not selected by default - wrap config on 80 characters width (assuming tab is 8 characters long) - add feature cost size and security notes for DROPBEAR_AGENTFORWARD and DROPBEAR_DBCLIENT_AGENTFORWARD: describe why and where it should be disabled Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-01-09 03:40:01 +03:00 · 2024-01-09 03:40:01 +03:00 · 0b277f8659
commit 0b277f8659
parent fa849fd411
1 changed files with 41 additions and 14 deletions
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@ -12,7 +12,6 @@ config DROPBEAR_CURVE25519
 config DROPBEAR_ECC
 	bool "Elliptic curve cryptography (ECC)"
 	default n
 	help
 		Enables basic support for elliptic curve cryptography (ECC)
 		in key exchange and public key authentication.
@ -25,11 +24,10 @@ config DROPBEAR_ECC
 		Increases binary size by about 24 kB (MIPS).
-		If full ECC support is required, also select DROPBEAR_ECC_FULL.
+		Note: select DROPBEAR_ECC_FULL if full ECC support is required.
 config DROPBEAR_ECC_FULL
 	bool "Elliptic curve cryptography (ECC), full support"
 	default n
 	depends on DROPBEAR_ECC
 	help
 		Enables full support for elliptic curve cryptography (ECC)
@ -69,36 +67,50 @@ config DROPBEAR_CHACHA20POLY1305
 config DROPBEAR_ZLIB
 	bool "Enable compression"
 	default n
 	help
 		Enables compression using shared zlib library.
-		Increases binary size by about 0.1 kB (MIPS) and requires additional 62 kB (MIPS)
+		Increases binary size by about 0.1 kB (MIPS) and requires
-		for a shared zlib library.
+		additional 62 kB (MIPS) for a shared zlib library.
 config DROPBEAR_UTMP
 	bool "Utmp support"
 	default n
 	depends on BUSYBOX_CONFIG_FEATURE_UTMP
 	help
-		This enables dropbear utmp support, the file /var/run/utmp is used to
+		This enables dropbear utmp support, the file /var/run/utmp is
-		track who is currently logged in.
+		used to track who is currently logged in.
 config DROPBEAR_PUTUTLINE
 	bool "Pututline support"
 	default n
 	depends on DROPBEAR_UTMP
 	help
-		Dropbear will use pututline() to write the utmp structure into the utmp file.
+		Dropbear will use pututline() to write the utmp structure into
 		the utmp file.
 config DROPBEAR_DBCLIENT
 	bool "Build dropbear with dbclient"
 	default y
 config DROPBEAR_DBCLIENT_AGENTFORWARD
-	bool "Enable agent forwarding in dbclient"
+	bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
 	default y
 	depends on DROPBEAR_DBCLIENT
 	help
 		Increases binary size by about 0.1 kB (MIPS).
 		Security notes:
 		SSH agent forwarding might cause security issues (locally and
 		on the jump machine).
 		Hovewer, it's enabled by default for compatibility with
 		previous OpenWrt/dropbear releases.
 		Consider DISABLING this option if you're building own OpenWrt
 		image.
 		Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
 		server itself).
 config DROPBEAR_SCP
 	bool "Build dropbear with scp"
@ -106,7 +118,6 @@ config DROPBEAR_SCP
 config DROPBEAR_ASKPASS
 	bool "Enable askpass helper support"
 	default n
 	depends on DROPBEAR_DBCLIENT
 	help
 		This enables support for ssh-askpass helper in dropbear client
@ -115,7 +126,23 @@ config DROPBEAR_ASKPASS
 		Increases binary size by about 0.1 kB (MIPS).
 config DROPBEAR_AGENTFORWARD
-	bool "Enable agent forwarding"
+	bool "Enable agent forwarding [LEGACY/SECURITY]"
 	default y
 	help
 		Increases binary size by about 0.1 kB (MIPS).
 		Security notes:
 		SSH agent forwarding might cause security issues (locally and
 		on the jump machine).
 		Hovewer, it's enabled by default for compatibility with
 		previous OpenWrt/dropbear releases.
 		Consider DISABLING this option if you're building own OpenWrt
 		image.
 		Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
 		dropbear client) if DROPBEAR_DBCLIENT is selected.
 endmenu