From d8ff2d8cba7c90d7d77c493cf585142758346009 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 8 Jul 2025 19:12:26 +0300 Subject: [PATCH] dropbear: refactor configuration This allows to fine-tune dropbear build options. This change is heavily based on similar work done by Marius Dinu earlier so I'd like to say many thanks to original author. Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Config.in | 1254 +++++++++++++++-- package/network/services/dropbear/Makefile | 141 +- .../services/dropbear/files/dropbear.init | 2 +- 3 files changed, 1202 insertions(+), 195 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 0d012b21b0a..c5737c05ca4 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,196 +1,1152 @@ -menu "Configuration" - depends on PACKAGE_dropbear +if PACKAGE_dropbear -config DROPBEAR_CURVE25519 - bool "Curve25519 support" +## +comment "Generic options" + +config DROPBEAR_STATIC_BUILD + bool "Build static binaries" + depends on DEVEL + help + Build all programs as statically linked. + + Default: disabled. + +config DROPBEAR_LEGACY_COMPAT + bool "Enable legacy options and features" + ## TODO: remove "default y" in 2026 default y help - This enables the following key exchange algorithm: - curve25519-sha256@libssh.org + Enable legacy options to be accessible. - Increases binary size by about 4 kB (MIPS). + This enables options which are improve backward compatibility + but are also known to have negative security impact. -config DROPBEAR_ECC - bool "Elliptic curve cryptography (ECC)" - help - Enables basic support for elliptic curve cryptography (ECC) - in key exchange and public key authentication. + Default: enabled. - Key exchange algorithms: - ecdh-sha2-nistp256 - - Public key algorithms: - ecdsa-sha2-nistp256 - - Increases binary size by about 24 kB (MIPS). - - Note: select DROPBEAR_ECC_FULL if full ECC support is required. - -config DROPBEAR_ECC_FULL - bool "Elliptic curve cryptography (ECC), full support" - depends on DROPBEAR_ECC - help - Enables full support for elliptic curve cryptography (ECC) - in key exchange and public key authentication. - - Key exchange algorithms: - ecdh-sha2-nistp256 (*) - ecdh-sha2-nistp384 - ecdh-sha2-nistp521 - - Public key algorithms: - ecdsa-sha2-nistp256 (*) - ecdsa-sha2-nistp384 - ecdsa-sha2-nistp521 - - (*) - basic ECC support; provided by DROPBEAR_ECC. - - Increases binary size by about 4 kB (MIPS). - -config DROPBEAR_ED25519 - bool "Ed25519 support" - default y if !SMALL_FLASH - help - This enables the following public key algorithm: - ssh-ed25519 - - Increases binary size by about 12 kB (MIPS). - -config DROPBEAR_CHACHA20POLY1305 - bool "Chacha20-Poly1305 support" +config DROPBEAR_SMALL_CODE + bool "Small code" default y help - This enables the following authenticated encryption cipher: - chacha20-poly1305@openssh.com + Reduces binary size by several KB but makes the symmetrical ciphers and hashes slower (perhaps by 50%). - Increases binary size by about 4 kB (MIPS). + Default: enabled. -config DROPBEAR_U2F - bool "U2F/FIDO support" +config DROPBEAR_DEBUG_TRACE + int "Verbose debug log level" + range 0 5 + default 0 + help + Define how much debug output is compiled in. + + * 0 = No verbose debug (default) + * 1-3 = approx 4 Kb (connection, remote identity, algos, auth type info) + * 4 = approx 17 Kb (detailed before connection) + * 5 = approx 8 Kb (detailed after connection) + + Debug is enabled with -v at runtime. Repeat to increase. + + Default: 0. + +config DROPBEAR_LOG_COMMANDS + bool "Log commands" + help + Log the initial command sent by the clients. + + This does not include all shell / scp / sftp commands that a user executes + during a session. + + Default: disabled. + +config DROPBEAR_INETD_MODE + bool "inetd mode" + help + Allow Dropbear server to be started on-demand by inetd superserver. + + OpenWrt starts Dropbear as daemon. + + Default: disabled. + +## + +## +comment "Login options" + +config DROPBEAR_DO_HOST_LOOKUP + bool "Reverse DNS" + help + Whether to do reverse DNS lookups of incoming connection IP addresses + and report the DNS name in the log. + + Warning: If the system is under attack from many IP addresses, + this will flood the DNS servers too. + + Default: disabled. + +config DROPBEAR_SVR_PUBKEY_OPTIONS + bool "Options in authorized_keys file" default y help - This option itself doesn't enable any support for U2F/FIDO - but subordinate options do: + Whether to take into account the key options in authorized_keys file. - - DROPBEAR_ECDSA_SK - ecdsa-sk keys support - depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)") - - DROPBEAR_ED25519_SK - ed25519-sk keys support - depends on DROPBEAR_ED25519 ("Ed25519 support") + Supported options are: + * no-port-forwarding + * no-agent-forwarding + * no-X11-forwarding + * no-pty + * restrict + * permitopen="host:port" + * command="forced_command" -config DROPBEAR_ECDSA_SK - bool "ECDSA-SK support" - default y - depends on DROPBEAR_U2F && DROPBEAR_ECC + If DROPBEAR_SK_KEYS is enabled then following options are supported too: + * no-touch-required + * verify-required + + These options are documented in Dropbear man page (not installed). + + Default: enabled. + +config DROPBEAR_LASTLOG + bool "Write lastlog" help - This enables the following public key algorithm: - sk-ecdsa-sha2-nistp256@openssh.com + /var/log/lastlog is a record of the last login of each user. + To view the last login, use "lastlog" command (OpenWrt package shadow-lastlog). -config DROPBEAR_ED25519_SK - bool "Ed25519-SK support" - default y - depends on DROPBEAR_U2F && DROPBEAR_ED25519 + If enabled, Drobear will update it with SSH logins. + If disabled, SSH logins will not be recorded. + + Warning: The lastlog record is considered a security and privacy risk by some. + + Default: disabled. + +config DROPBEAR_LASTLOG_PATH + string "lastlog path:" + default "/var/log/lastlog" + depends on DROPBEAR_LASTLOG help - This enables the following public key algorithm: - sk-ssh-ed25519@openssh.com + Default: /var/log/lastlog -config DROPBEAR_ZLIB - bool "Enable compression" +config DROPBEAR_WTMP + bool "Write wtmp" help - Enables compression using shared zlib library. + /var/log/wtmp is a record of all previous logins. + The file needs to be manually created - Dropbear will update it only if it already exists. + To view login history, use "last" command, available in Busybox but not included by default. - Increases binary size by about 0.1 kB (MIPS) and requires - additional 62 kB (MIPS) for a shared zlib library. + If enabled, Dropbear will add SSH logins to the record. + If disabled, SSH logins will not be recorded. + + Warning: The wtmp record is considered a security and privacy risk by some. + + Default: disabled. + +config DROPBEAR_WTMP_PATH + string "wtmp path:" + default "/var/log/wtmp" + depends on DROPBEAR_WTMP + help + Default: /var/log/wtmp + +# ---- MUSL UTMP ---- +# In musl, pututline() and related functions are all stubs, and login(), logout() and ttyslot() don't exist. +# In Dropbear there is an option to write to utmp directly, but it uses ttyslot(). +# So, there is currently no way to make utmp work with musl. +# Revisit this if/when Dropbear implements ttyslot() or an independent utmp direct write. +comment "* note: utmp is unavailable with musl libc" + depends on USE_MUSL config DROPBEAR_UTMP - bool "Utmp support" - depends on BUSYBOX_CONFIG_FEATURE_UTMP + bool "Write utmp" + depends on !USE_MUSL help - This enables dropbear utmp support, the file /var/run/utmp is - used to track who is currently logged in. + /var/run/utmp is a record of currently logged-in users. + To view logged-in users, use "w", "who" or "users" commands. -config DROPBEAR_PUTUTLINE - bool "Pututline support" + If enabled, Dropbear will keep it updated with users that log in via SSH. + If disabled, SSH logins will not be recorded. + + Warning: The utmp record is considered a security and privacy risk by some. + + Default: disabled. + +config DROPBEAR_UTMP_PATH + string "utmp path:" + default "/var/run/utmp" depends on DROPBEAR_UTMP help - Dropbear will use pututline() to write the utmp structure into - the utmp file. + Default: /var/run/utmp -config DROPBEAR_DBCLIENT - bool "Build dropbear with dbclient" - default y - -config DROPBEAR_ASKPASS - bool "Enable askpass helper support" - depends on DROPBEAR_DBCLIENT +# musl pututline() and related functions are all stubs. +config DROPBEAR_PUTUTLINE + bool "Use pututline() to write to utmp" + default y if !DROPBEAR_LOGINFUNC + depends on !USE_MUSL && !DROPBEAR_LOGINFUNC && DROPBEAR_UTMP help - This enables support for ssh-askpass helper in dropbear client - in order to authenticate on remote hosts. + If enabled, Dropbear will use pututline() to write into the utmp file. + If disabled, Dropbear will write to utmp file directly. - Increases binary size by about 0.1 kB (MIPS). + Consider using login() and logout() functions via DROPBEAR_LOGINFUNC option if available. -config DROPBEAR_DBCLIENT_AGENTFORWARD - bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]" - default y - depends on DROPBEAR_DBCLIENT + Default: enabled if DROPBEAR_UTMP is enabled. + +# musl doesn't have login() and logout() +config DROPBEAR_LOGINFUNC + bool "Use login() and logout() functions" + depends on !USE_MUSL + select DROPBEAR_UTMP + select DROPBEAR_WTMP help - Increases binary size by about 0.1 kB (MIPS). + If enabled, Dropbear will use login() and logout() functions to record logins in utmp and wtmp files. + If disabled, see DROPBEAR_UTMP and DROPBEAR_WTMP options. - Security notes: + Default: disabled. - SSH agent forwarding might cause security issues (locally and - on the jump machine). +## - Hovewer, it's enabled by default for compatibility with - previous OpenWrt/dropbear releases. +## +comment "Features" - Consider DISABLING this option if you're building own OpenWrt - image. +config DROPBEAR_REEXEC + bool "ASLR for each connection" + default y if !LOW_MEMORY_FOOTPRINT + help + Dropbear will re-execute itself for each incoming connection + so that memory layout may be re-randomised (ASLR). + Exploiting Dropbear vulnerabilities becomes harder + but uses slightly more memory per connection. - Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear - server itself). + Default: enabled, except devices with very low memory. + +config DROPBEAR_ZLIB + bool "Compression" + select PACKAGE_zlib + help + Enable support for compression using shared zlib library. + + Compression slows down transfer speed, especially on low-power CPUs + found in routers, but may increase speed over slow network links + if the CPU is fast enough to handle both compression and encryption + at network speed. + + Default: disabled. + +config DROPBEAR_DELAY_HOSTKEY + bool "Auto-generate host keys (-R)" + default y + help + Add command line argument "-R" to generate hostkeys as-needed + when the first connection using that key type occurs. + + This avoids the need to otherwise run "dropbearkey" and avoids + some problems with badly seeded /dev/urandom when systems first boot. + + Default: enabled. + +config DROPBEAR_SVR_AGENTFWD + bool "Authentication agent forwarding [SECURITY]" + default y + help + Enables support for authentication agent forwarding. + + Server only: see DROPBEAR_CLI_AGENTFWD for client. + + This allows the use of local client keys to run a second ssh client to connect from the server to another server, without the need to install the keys on the fist server too. + + Common example: ssh to a server and use git on that server to push to github using local ssh keys, not the keys installed on the server. + + Default: enabled. + + SECURITY NOTES: + + SSH agent forwarding might cause security issues (locally and on the server). + + Hovewer, it's enabled by default for compatibility with previous OpenWrt/Dropbear releases. + +config DROPBEAR_SVR_REMOTETCPFWD + bool "Remote port forwarding: server -> client" + default y + help + Support remote port forwarding. + + Server listens and forwards connections to client. + Server only; see DROPBEAR_CLI_REMOTETCPFWD for client. + + Default: enabled. + +config DROPBEAR_SVR_LOCALTCPFWD + bool "Local port forwarding: client -> server" + default y + help + Support local port forwarding. + + Client listens and forwards connections to server. + Server only; see DROPBEAR_CLI_LOCALTCPFWD for client. + + Default: enabled. + +config DROPBEAR_SVR_LOCALSTREAMFWD + bool "Local port forwarding: client TCP socket -> server unix socket" + default y + help + Support local port forwarding to unix sockets. + + Client listens and forwards connections to unix socket on server side. + Server only. + + Default: enabled. + +config DROPBEAR_X11FWD + bool "X11 forwarding" + help + Supports X11 forwarding. + + OpenWrt doesn't have any Xorg programs by default. + Server only. + + Default: disabled. config DROPBEAR_SCP - bool "Build dropbear with scp" - default y - -config DROPBEAR_AGENTFORWARD - bool "Enable agent forwarding [LEGACY/SECURITY]" + bool "SCP file transfer program" default y help - Increases binary size by about 0.1 kB (MIPS). + Include the SCP file transfer program. - Security notes: + Default: enabled. - SSH agent forwarding might cause security issues (locally and - on the jump machine). - - Hovewer, it's enabled by default for compatibility with - previous OpenWrt/dropbear releases. - - Consider DISABLING this option if you're building own OpenWrt - image. - - Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in - dropbear client) if DROPBEAR_DBCLIENT is selected. - -config DROPBEAR_MODERN_ONLY - bool "Use modern crypto only [BREAKS COMPATIBILITY]" - select DROPBEAR_ED25519 - select DROPBEAR_CURVE25519 - select DROPBEAR_CHACHA20POLY1305 +config DROPBEAR_SFTPSERVER + bool "Support external SFTP server" + default y if !SMALL_FLASH help - This option enables: - - Chacha20-Poly1305 - - Curve25519 - - Ed25519 - and disables: - - AES - - RSA + Enable running a SFTP server (such as the one included with OpenSSH). + The SFTP server program is not provided by Dropbear itself. + SFTP server must be installed as /usr/libexec/sftp-server - Reduces binary size by about 64 kB (MIPS) from default - configuration. + Default: enabled, except devices with very small flash. - Consider enabling this option if you're building own OpenWrt - image and using modern SSH software everywhere. +## + +## +menuconfig DROPBEAR_DBCLIENT + bool "dbclient (Dropbear SSH client)" + default y + help + Build dbclient, the Dropbear SSH client. + + Default: enabled. + + if DROPBEAR_DBCLIENT + + config DROPBEAR_USER_ALGO_LIST + bool "Let user choose ciphers and MACs" + default y + help + Adds dbclient "-c" and "-m" command line options. + + Allows using "-c " and/or "-m " + to choose preferred ciphers and MACs. + + Run "dbclient -c help" to list supported ciphers + and "dbclient -m help" to list supported MACs. + + Default: enabled. + + config DROPBEAR_USE_SSH_CONFIG + bool "Use ssh_config" + help + Whether to use some options from ~/.ssh/dropbear_config. + + Supported top-most option is "Host" (no "Match" support is present). + + Supported options for "Host" are: + * Hostname + * Port + * User + * IdentityFile + + These options are well-documented in ssh_config(5) man page. + + Default: disabled. + + config DROPBEAR_CLI_IMMEDIATE_AUTH + bool "Send auth request immediately [COMPATIBILITY]" + help + Save a network roundtrip by sending a real auth request + immediately after sending a query for the available methods. + + This is not yet enabled by default since it could + cause problems with non-compliant servers. + + Default: disabled. + + config DROPBEAR_USE_PASSWORD_ENV + bool "Use env password" + default y + help + Allow specifying the password for dbclient via the DROPBEAR_PASSWORD environment variable. + + Default: enabled. + + config DROPBEAR_CLI_ASKPASS_HELPER + bool "Support askpass helper" + help + Allow the use of a helper program for the ssh client. + + The helper program should be specified in the SSH_ASKPASS environment variable, + and dbclient should be run with DISPLAY set and no tty. + The program should return the password on standard output. + + Default: disabled. + + config DROPBEAR_CLI_AGENTFWD + bool "Authentication agent forwarding [SECURITY]" + default y + help + Enables support for authentication agent forwarding. + + Client only: see DROPBEAR_SVR_AGENTFWD for server. + + This allows the use of local client keys to run a second ssh client + to connect from the server to another server, without the need to install + the keys on the first server too. + + Common example: ssh to a server and use git on that server to push to + github using local ssh keys, not the keys installed on the server. + + Default: enabled. + + SECURITY NOTES: + + SSH agent forwarding might cause security issues (locally and on the server). + + Hovewer, it's enabled by default for compatibility with previous OpenWrt/Dropbear releases. + + config DROPBEAR_CLI_LOCALTCPFWD + bool "Local port forwarding (-L)" + default y + help + Support local port forwarding. + + Client listens and forwards connections to server. + + Client only; see DROPBEAR_SVR_LOCALTCPFWD for server. + + Default: enabled. + + config DROPBEAR_CLI_REMOTETCPFWD + bool "Remote port forwarding (-R)" + default y + help + Support remote port forwarding. + + Server listens and forwards connections to client. + + Client only; see DROPBEAR_SRV_REMOTETCPFWD for server. + + Default: enabled. + + config DROPBEAR_CLI_PROXYCMD + bool "Proxy command (-J)" + default y + help + Support "-J " to run the connection through a pipe + to a program rather the normal TCP connection. + + Default: enabled. + + config DROPBEAR_CLI_NETCAT + bool "Netcat-alike forwarding (-B)" + help + Support "-B " Netcat-alike forwarding. + + Default: disabled. + + comment "Multi-hop support is unavailable: enable both DROPBEAR_CLI_NETCAT and DROPBEAR_CLI_PROXYCMD" + depends on !DROPBEAR_CLI_NETCAT || !DROPBEAR_CLI_PROXYCMD + + config DROPBEAR_CLI_MULTIHOP + bool "Multi-hop support" + default y + depends on DROPBEAR_CLI_NETCAT && DROPBEAR_CLI_PROXYCMD + help + Support "[user@]host[/port][,[user@]host/port],...]" connections. + + This option is required to support multi-hop connections in Dropbear client as well as DROPBEAR_CLI_PROXYCMD. + + Default: enabled. + + endif +## + +## +menu "Resource limits" + + config DROPBEAR_KEX_REKEY_TIMEOUT + int "Rekey limit (seconds)" + range 600 604800 + default 28800 + help + Specifies the maximum amount of time before the session key is renegotiated. + + Note: it's not possible to configure this value in run-time. + + Possible values: 600 (10 minutes) to 604800 (7 days) + Default: 28800 (8 hours) + + config DROPBEAR_KEX_REKEY_DATA + int "Rekey limit (bytes)" + range 65536 2147418112 + default 1073741824 + help + Specifies the maximum amount of data that may be transmitted or received + before the session key is renegotiated. + + Note: it's not possible to configure this value in run-time. + + Possible values: 65536 (64 KiB) to 2147418112 (2 GiB - 64 KiB) + Default: 1073741824 (1 GiB) + + config DROPBEAR_AUTH_TIMEOUT + int "Unauthenticated timeout (seconds)" + range 30 3600 + default 300 + help + Close connections to clients which haven't authenticated after specified timeout. + + Note: it's not possible to configure this value in run-time. + + Possible values: 30 to 3600 (1 hour) + Default: 300 (5 minutes) + + config DROPBEAR_MAX_AUTH_TRIES + int "Max. failed authentications" + range 1 80 + default 10 + help + Default maximum number of failed authentication tries (server option). + + This can be changed at run-time with the -T argument. + + Possible values: 1 to 80 (from src/sysoptions.h) + Default: 10 + + config DROPBEAR_UNAUTH_CLOSE_DELAY + int "Delay closing unauth. connections (seconds)" + range 0 3600 + default 0 + help + Delay introduced before closing an unauthenticated session. + Can be set to, say 30 seconds, to reduce the speed of password brute forcing. + + There is a risk of denial of service by setting this. + + Note: it's not possible to configure this value in run-time. + + Possible values: 0 to 3600 (1 hour) + Default: 0 (disabled) + + config DROPBEAR_MAX_UNAUTH_PER_IP + int "Max. unauthenticated connections per IP" + range 1 1024 + default 5 + help + Specify the number of clients allowed to be connected but not yet authenticated. + After this limit, connections are rejected. + This setting is per IP, to prevent DoS attacks. + + Note: it's not possible to configure this value in run-time. + + Possible values: 1 to 1024 + Default: 5 + + config DROPBEAR_MAX_UNAUTH_CLIENTS + int "Max. unauthenticated connections (total)" + range 1 1024 + default 30 + help + Specify the number of clients allowed to be connected but not yet authenticated. + After this limit, connections are rejected. + This setting is the global number, to prevent memory exhaustion + when attacks come from different IPs. + + Note: it's not possible to configure this value in run-time. + + Possible values: 1 to 1024 + Default: 30 + + config DROPBEAR_DEFAULT_RECV_WINDOW + int "Default TCP receive window size (bytes)" + range 256 10485760 + default 32768 if LOW_MEMORY_FOOTPRINT + default 262144 + help + TCP connections require acknowledgement of received data. + Window size is the maximum number of bytes that can be sent + on a connection before having to wait for an ACK packet. + This amount of memory is allocated as a per-connection receive buffer. + Increasing this value can make a significant difference to network performance + when SSH is used for large data transfers (SCP, SFTP, tunnels) + and the CPU can handle the encryption at network speed. + + This can be changed at run-time with the -W argument. + + Possible values: 256 to 10485760 (10MiB, from src/sysoptions.h) + Default: 32768 (32 KiB) for devices with very low memory + and 262144 (256 KiB) otherwise. + + config DROPBEAR_DEFAULT_KEEPALIVE + int "Default KeepAlive interval (seconds)" + range 0 604800 + default 0 + help + Ensure that data is transmitted every KeepAlive seconds. + Applies to both server and client. + + This can be changed at run-time with the -K argument. + + Possible values: 0 to 604800 (7 days) + Default: 0 (disabled) + + config DROPBEAR_DEFAULT_KEEPALIVE_LIMIT + int "Default KeepAlive limit" + range 1 30 + default 3 + help + If this many KEEPALIVES are sent with no packets received from the other side, disconnect. + Applies to both server and client. + + Note: it's not possible to configure this value in run-time. + + Possible values: 1 to 30 + Default: 3 + + config DROPBEAR_DEFAULT_IDLE_TIMEOUT + int "Default idle timeout (seconds)" + range 0 604800 + default 0 + help + If no traffic is sent/received in IDLE_TIMEOUT seconds, disconnect. + Applies to both server and client. + + Note: values below 30 seconds are not recommended. + + This can be changed at run-time with the -I argument. + + Possible values: 0 to 604800 (7 days) + Default: 0 (disabled). endmenu +## + +## +menu "Encryption options" + + comment "Symmetric-key ciphers:" + + config DROPBEAR_3DES + bool "3DES [WEAK]" + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following authenticated encryption cipher: + * 3des-ctr - CTR mode + * 3des-cbc - CBC mode + + Some very old SSH implementations might only support 3DES. + Keeping this cipher enables a downgrade attack on the connection, if the client allows it. + + Default: disabled. + + config DROPBEAR_AES128 + bool "AES128" + default y + help + This enables the following authenticated encryption cipher: + * aes128-gcm@openssh.com - GCM mode + * aes128-ctr - CTR mode + * aes128-cbc - CBC mode + + Enables AES with 128 bit key size. + AES is very secure, but slow. It is preferred on systems with AES hardware acceleration. + + Including both AES keysize variants (128 and 256) will result in a minimal size increase. + + Default: enabled. + + config DROPBEAR_AES256 + bool "AES256" + default y + help + This enables the following authenticated encryption cipher: + * aes256-gcm@openssh.com - GCM mode + * aes256-ctr - CTR mode + * aes256-cbc - CBC mode + + Enables AES with 256 bit key size. + AES is very secure, but slow. It is preferred on systems with AES hardware acceleration. + + Including both AES keysize variants (128 and 256) will result in a minimal size increase. + + Default: enabled. + + config DROPBEAR_CHACHA20POLY1305 + bool "ChaCha20-Poly1305" + default y + help + This enables the following authenticated encryption cipher: + * chacha20-poly1305@openssh.com + + ChaCha20 is a symmetric-key stream cipher. + Poli1305 is hash function used for authentication. + ChaCha20-Poly1305 provides both encryption and authentication + without any additional cipher modes or MACs. + + These algorithms are generally faster than AES on CPUs without dedicated AES instructions. + + Default: enabled. + + comment "WARNING! At least one cipher must be selected." + depends on !DROPBEAR_3DES && !DROPBEAR_AES128 && !DROPBEAR_AES256 && !DROPBEAR_CHACHA20POLY1305 + + ## + if DROPBEAR_3DES || DROPBEAR_AES128 || DROPBEAR_AES256 + + comment "Cipher modes:" + + config DROPBEAR_ENABLE_CTR_MODE + bool "CTR, Counter mode" + default y + help + This enables the following authenticated encryption cipher: + * 3des-ctr - 3DES + * aes128-ctr - AES128 + * aes256-ctr - AES256 + + Default: enabled. + + config DROPBEAR_ENABLE_CBC_MODE + bool "CBC, Cipher Block Chaining mode [WEAK]" + help + This enables the following authenticated encryption cipher: + * 3des-cbc - 3DES + * aes128-cbc - AES128 + * aes256-cbc - AES256 + + This mode is susceptible to ciphertext stealing and padding attacks. + + Default: disabled. + + config DROPBEAR_ENABLE_GCM_MODE + bool "GCM, Galois-Counter mode [WEAK]" + help + This enables the following authenticated encryption cipher: + * aes128-gcm@openssh.com - AES128 + * aes256-gcm@openssh.com - AES256 + + The authentication part of the GCM can be attacked by ciphertext forgery. + + Default: disabled. + + comment "WARNING! Block ciphers require at least one cipher mode to be selected." + depends on !DROPBEAR_ENABLE_CTR_MODE && !DROPBEAR_ENABLE_CBC_MODE && !DROPBEAR_ENABLE_GCM_MODE + + endif + ## + + ## + if DROPBEAR_3DES || DROPBEAR_AES128 || DROPBEAR_AES256 + + comment "Message authentication codes (MAC):" + + config DROPBEAR_SHA1_96_HMAC + bool "SHA1-96-HMAC [WEAK]" + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following message authentication code: + * hmac-sha1-96 + + Enables SHA1 with hash length truncated to 96 bit. + Very old implementations may need it. + + Default: disabled. + + config DROPBEAR_SHA1_HMAC + bool "SHA1-HMAC [WEAK]" + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following message authentication code: + * hmac-sha1 + + SHA1 generates 160 bit hashes. They are considered weak when used for signing (sha1-rsa keys). + Very old implementations may need it. + + Default: disabled. + + config DROPBEAR_SHA2_256_HMAC + bool "SHA256-HMAC" + default y + help + This enables the following message authentication code: + * hmac-sha2-256 + + SHA2 with 256 bit hash length. + + Default: enabled. + + config DROPBEAR_SHA2_512_HMAC + bool "SHA512-HMAC" + help + This enables the following message authentication code: + * hmac-sha2-512 + + SHA2 with 512 bit hash length is slower than SHA256 with little added benefits, + as SHA256 is sufficiently strong. + + Default: disabled. + + comment "WARNING! Ciphers without authentication require at least one MAC to be enabled." + depends on !DROPBEAR_SHA1_96_HMAC && !DROPBEAR_SHA1_HMAC && !DROPBEAR_SHA2_256_HMAC && !DROPBEAR_SHA2_512_HMAC + + endif + ## + + comment "Asymmetric-key ciphers:" + + config DROPBEAR_DSS + bool "DSS [WEAK]" + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following public key algorithm: + * ssh-dss + + DSS uses 1024 bit private keys (too small) and SHA1 signing (weak). + + Default: disabled. + + config DROPBEAR_RSA_SHA1 + bool "RSA-SHA1 [WEAK]" + default y + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following public key algorithm: + * ssh-rsa + + SHA1 support is required to communicate with some older implementations. + It will be removed in future due to SHA1 insecurity. + + Default: disabled. + + config DROPBEAR_RSA + bool "RSA-SHA256" + default y + help + This enables the following public key algorithm: + * rsa-sha2-256 + + RSA-SHA256 uses SHA2 256 bit hashes for authentication. + + Default: enabled. + + config DROPBEAR_DEFAULT_RSA_SIZE + int "Default RSA key size" + range 1024 8192 + default 2048 + depends on DROPBEAR_RSA_SHA1 || DROPBEAR_RSA + help + Sets the default RSA key size, for example, when auto-generating server keys. + + Possible values: 1024, 2048, 4096, 8192. + Default: 2048. + + config DROPBEAR_ECDSA + bool "ECDSA" + help + This enables the following public key algorithm: + * ecdsa-sha2-nistp256 - 256-bit elliptic curve + * ecdsa-sha2-nistp384 - 384-bit elliptic curve + * ecdsa-sha2-nistp521 - 521-bit elliptic curve + + Along with FIDO/U2F also enables the following public key algorithm: + * sk-ecdsa-sha2-nistp256@openssh.com - 256-bit elliptic curve + + ECDSA significantly faster than RSA or DSS, but slower than Ed25519. + + Default: disabled. + + config DROPBEAR_ED25519 + bool "Ed25519" + default y if !SMALL_FLASH + help + This enables the following public key algorithm: + * ssh-ed25519 + + Along with FIDO/U2F also enables the following public key algorithm: + * sk-ssh-ed25519@openssh.com + + Ed25519 uses Curve25519 and SHA512 and is faster than RSA and ECDSA. + + Default: enabled, except devices with very small flash. + + comment "WARNING! At least one asymmetric-key algorithm must be enabled." + depends on !DROPBEAR_DSS && !DROPBEAR_RSA && !DROPBEAR_ECDSA && !DROPBEAR_ED25519 + + ## + comment "Key exchange algorithms" + + config DROPBEAR_DH_GROUP1 + bool "DH group1: SHA1, 1024 bit [WEAK]" + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following key exchange algorithm: + * diffie-hellman-group1-sha1 + + Diffie-Hellman group1 is too small for security, though is necessary for + compatibility with some very old implementations such as Dropbear < v0.53. + + Default: disabled. + + config DROPBEAR_DH_GROUP1_CLIENTONLY + bool "DH group1 only for Dropbear client" + default y + depends on DROPBEAR_DBCLIENT && DROPBEAR_DH_GROUP1 + help + When enabled, Diffie-Hellman group1 will only be allowed by Dropbear client, + not by the server, due to concerns over its strength. + If disabled, DH group1 is allowed by Dropbear server too. + + Default: enabled. + + config DROPBEAR_DH_GROUP14_SHA1 + bool "DH group14: SHA1, 2048 bit [WEAK]" + depends on DROPBEAR_LEGACY_COMPAT + help + This enables the following key exchange algorithm: + * diffie-hellman-group14-sha1 + + Diffie-Hellman group14 is supported by most implementations. + This variant uses weaker SHA1 hashes. + + Default: disabled. + + config DROPBEAR_DH_GROUP14_SHA256 + bool "DH group14: SHA2-256, 2048 bit" + default y + help + This enables the following key exchange algorithm: + * diffie-hellman-group14-sha256 + + Diffie-Hellman group14 is supported by most implementations. + + Default: enabled. + + config DROPBEAR_DH_GROUP16 + bool "DH group16: SHA2-512, 4096 bit" + help + This enables the following key exchange algorithm: + * diffie-hellman-group16-sha512 + + Diffie-Hellman group16 provides a greater strength level + but it is slower and increases binary size. + + Default: disabled. + + config DROPBEAR_ECDH + bool "ECDH" + help + This enables the following key exchange algorithm: + * ecdh-sha2-nistp256 - 256-bit elliptic curve + * ecdh-sha2-nistp384 - 384-bit elliptic curve + * ecdh-sha2-nistp521 - 521-bit elliptic curve + + ECDH is faster than non-elliptic-curve methods. + + Default: disabled. + + config DROPBEAR_CURVE25519 + bool "Curve25519" + default y + help + This enables the following key exchange algorithm: + * curve25519-sha256 + + Curve25519 is faster than non-elliptic-curve methods. + + Default: enabled. + + config DROPBEAR_MLKEM768 + bool "mlkem768 [POST-QUANTUM]" + help + This enables the following key exchange algorithm: + * mlkem768x25519-sha256 + + Post-quantum KEM can avoid harvest-now-decrypt-later style attacks. + + Default: enabled, except devices with very small flash. + + config DROPBEAR_SNTRUP761 + bool "sntrup761 [POST-QUANTUM]" + default y if !SMALL_FLASH + help + This enables the following key exchange algorithm: + * sntrup761x25519-sha512 + + Post-quantum KEM can avoid harvest-now-decrypt-later style attacks. + + Default: enabled, except devices with very small flash. + + comment "WARNING! At least one key exchange algorithm must be enabled." + depends on !DROPBEAR_DH_GROUP1 && !DROPBEAR_DH_GROUP14_SHA1 && ! DROPBEAR_DH_GROUP14_SHA256 && !DROPBEAR_DH_GROUP16 && !DROPBEAR_ECDH && !DROPBEAR_CURVE25519 && !DROPBEAR_MLKEM768 && !DROPBEAR_SNTRUP761 + ## + + ## + if DROPBEAR_ECDH || DROPBEAR_ECDSA + + comment "Elliptic curves:" + + config DROPBEAR_ECC_256 + bool "256-bit curve" + default y + help + This enables the following key exchange algorithm: + * ecdh-sha2-nistp256 + + This enables the following public key algorithm: + * ecdsa-sha2-nistp256 + + Along with FIDO/U2F also enables the following public key algorithm: + * sk-ecdsa-sha2-nistp256@openssh.com + + Default: enabled. + + config DROPBEAR_ECC_384 + bool "384-bit curve" + help + This enables the following key exchange algorithm: + * ecdh-sha2-nistp384 + + This enables the following public key algorithm: + * ecdsa-sha2-nistp384 + + Default: disabled. + + config DROPBEAR_ECC_521 + bool "521-bit curve" + help + This enables the following key exchange algorithm: + * ecdh-sha2-nistp521 + + This enables the following public key algorithm: + * ecdsa-sha2-nistp521 + + Default: disabled. + + comment "WARNING! At least one elliptic curve must be enabled." + depends on !DROPBEAR_ECC_256 && !DROPBEAR_ECC_384 && !DROPBEAR_ECC_521 + + endif + ## + + ## + comment "FIDO/U2F security keys are not supported - enable DROPBEAR_ECDSA and/or DROPBEAR_ED25519" + depends on !DROPBEAR_ECDSA && !DROPBEAR_ED25519 + + config DROPBEAR_SK_KEYS + bool "FIDO/U2F security keys" + default y if !SMALL_FLASH + depends on DROPBEAR_ECDSA || DROPBEAR_ED25519 + help + Allows Dropbear server to validate U2F security keys. + The corresponding DROPBEAR_SK_ECDSA and/or DROPBEAR_SK_ED25519 also needs to be set. + + Dropbear client does not support U2F. + + Default: enabled, except devices with very small flash. + + if DROPBEAR_SK_KEYS + + comment "FIDO/U2F with ECDSA is not supported - enable DROPBEAR_ECC_256" + depends on DROPBEAR_ECDSA && !DROPBEAR_ECC_256 + + config DROPBEAR_SK_ECDSA + bool "FIDO/U2F with ECDSA" + default y + depends on DROPBEAR_ECDSA && DROPBEAR_ECC_256 + help + This enables the following public key algorithm: + * sk-ecdsa-sha2-nistp256@openssh.com + + Default: enabled. + + config DROPBEAR_SK_ED25519 + bool "FIDO/U2F with Ed25519" + default y + depends on DROPBEAR_ED25519 + help + This enables the following public key algorithm: + * sk-ssh-ed25519@openssh.com + + Default: enabled. + + comment "WARNING! At least one U2F algorithm must be enabled." + depends on !DROPBEAR_SK_ECDSA && !DROPBEAR_SK_ED25519 + + endif + ## + +endmenu +## + +## TODO: following options should be removed in 2027 + +## +config DROPBEAR_ECC + bool + imply DROPBEAR_ECDH + imply DROPBEAR_ECDSA + imply DROPBEAR_ECC_256 + +config DROPBEAR_ECC_FULL + bool + imply DROPBEAR_ECDH + imply DROPBEAR_ECDSA + imply DROPBEAR_ECC_256 + imply DROPBEAR_ECC_384 + imply DROPBEAR_ECC_521 + +config DROPBEAR_ECDSA_SK + bool + imply DROPBEAR_SK_KEYS + imply DROPBEAR_SK_ECDSA + imply DROPBEAR_ECC_256 + +config DROPBEAR_ED25519_SK + bool + imply DROPBEAR_SK_KEYS + imply DROPBEAR_SK_ED25519 + +config DROPBEAR_ASKPASS + bool + depends on DROPBEAR_DBCLIENT + imply DROPBEAR_CLI_ASKPASS_HELPER + +config DROPBEAR_DBCLIENT_AGENTFORWARD + bool + depends on DROPBEAR_DBCLIENT + imply DROPBEAR_CLI_AGENTFWD + +config DROPBEAR_AGENTFORWARD + bool + imply DROPBEAR_SVR_AGENTFWD + +## it's not possible to negate selection via Kconfig [at least] of following options: +## - DROPBEAR_AES128 +## - DROPBEAR_AES256 +## - DROPBEAR_ENABLE_CTR_MODE +## - DROPBEAR_RSA +## - DROPBEAR_RSA_SHA1 +config DROPBEAR_MODERN_ONLY + bool + imply DROPBEAR_ED25519 + imply DROPBEAR_CURVE25519 + imply DROPBEAR_CHACHA20POLY1305 + +## + +endif # PACKAGE_dropbear diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index a3bb3117127..5bedcc171d5 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -28,14 +28,19 @@ PKG_FIXUP:=autoreconf PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ - CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ - CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ - CONFIG_DROPBEAR_U2F CONFIG_DROPBEAR_ECDSA_SK CONFIG_DROPBEAR_ED25519_SK \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ - CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \ - CONFIG_DROPBEAR_MODERN_ONLY + CONFIG_DROPBEAR_STATIC_BUILD CONFIG_DROPBEAR_LEGACY_COMPAT CONFIG_DROPBEAR_SMALL_CODE CONFIG_DROPBEAR_DEBUG_TRACE CONFIG_DROPBEAR_LOG_COMMANDS CONFIG_DROPBEAR_INETD_MODE \ + CONFIG_DROPBEAR_DO_HOST_LOOKUP CONFIG_DROPBEAR_SVR_PUBKEY_OPTIONS CONFIG_DROPBEAR_LASTLOG CONFIG_DROPBEAR_LASTLOG_PATH CONFIG_DROPBEAR_WTMP CONFIG_DROPBEAR_WTMP_PATH CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_UTMP_PATH CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_LOGINFUNC \ + CONFIG_DROPBEAR_REEXEC CONFIG_DROPBEAR_ZLIB CONFIG_DROPBEAR_DELAY_HOSTKEY CONFIG_DROPBEAR_SVR_AGENTFWD CONFIG_DROPBEAR_SVR_REMOTETCPFWD CONFIG_DROPBEAR_SVR_LOCALTCPFWD CONFIG_DROPBEAR_SVR_LOCALSTREAMFWD CONFIG_DROPBEAR_X11FWD CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_SFTPSERVER \ + CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_USER_ALGO_LIST CONFIG_DROPBEAR_USE_SSH_CONFIG CONFIG_DROPBEAR_CLI_IMMEDIATE_AUTH CONFIG_DROPBEAR_USE_PASSWORD_ENV CONFIG_DROPBEAR_CLI_ASKPASS_HELPER CONFIG_DROPBEAR_CLI_AGENTFWD CONFIG_DROPBEAR_CLI_LOCALTCPFWD CONFIG_DROPBEAR_CLI_REMOTETCPFWD CONFIG_DROPBEAR_CLI_PROXYCMD CONFIG_DROPBEAR_CLI_NETCAT CONFIG_DROPBEAR_CLI_MULTIHOP \ + CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT CONFIG_DROPBEAR_KEX_REKEY_DATA CONFIG_DROPBEAR_AUTH_TIMEOUT CONFIG_DROPBEAR_MAX_AUTH_TRIES CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW CONFIG_DROPBEAR_DEFAULT_KEEPALIVE CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT \ + CONFIG_DROPBEAR_3DES CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 CONFIG_DROPBEAR_CHACHA20POLY1305 \ + CONFIG_DROPBEAR_ENABLE_CTR_MODE CONFIG_DROPBEAR_ENABLE_CBC_MODE CONFIG_DROPBEAR_ENABLE_GCM_MODE \ + CONFIG_DROPBEAR_SHA1_96_HMAC CONFIG_DROPBEAR_SHA1_HMAC CONFIG_DROPBEAR_SHA2_256_HMAC CONFIG_DROPBEAR_SHA2_512_HMAC \ + CONFIG_DROPBEAR_DSS CONFIG_DROPBEAR_RSA_SHA1 CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_DEFAULT_RSA_SIZE CONFIG_DROPBEAR_ECDSA CONFIG_DROPBEAR_ED25519 \ + CONFIG_DROPBEAR_DH_GROUP1 CONFIG_DROPBEAR_DH_GROUP1_CLIENTONLY CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 CONFIG_DROPBEAR_DH_GROUP16 CONFIG_DROPBEAR_ECDH CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_MLKEM768 CONFIG_DROPBEAR_SNTRUP761 \ + CONFIG_DROPBEAR_ECC_256 CONFIG_DROPBEAR_ECC_384 CONFIG_DROPBEAR_ECC_521 \ + CONFIG_DROPBEAR_SK_KEYS CONFIG_DROPBEAR_SK_ECDSA CONFIG_DROPBEAR_SK_ED25519 \ + include $(INCLUDE_DIR)/package.mk @@ -56,6 +61,7 @@ define Package/dropbear SECTION:=net CATEGORY:=Base system TITLE:=Small SSH2 client/server + MENU:=1 DEPENDS:= +DROPBEAR_ZLIB:zlib ALTERNATIVES:=100:/usr/bin/ssh-keygen:/usr/sbin/dropbear $(if $(CONFIG_DROPBEAR_SCP),ALTERNATIVES+= \ @@ -87,16 +93,15 @@ endef CONFIGURE_ARGS += \ --disable-pam \ - --enable-openpty \ - --enable-syslog \ - --disable-lastlog \ - --disable-utmpx \ - $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \ - --disable-wtmp \ - --disable-wtmpx \ - --disable-loginfunc \ - $(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \ --disable-pututxline \ + --disable-utmpx \ + --disable-wtmpx \ + $(if $(CONFIG_DROPBEAR_LASTLOG),,--disable-lastlog) \ + $(if $(CONFIG_DROPBEAR_LOGINFUNC),,--disable-loginfunc) \ + $(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \ + $(if $(CONFIG_DROPBEAR_STATIC_BUILD),--enable-static,--disable-static) \ + $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \ + $(if $(CONFIG_DROPBEAR_WTMP),,--disable-wtmp) \ $(if $(CONFIG_DROPBEAR_ZLIB),,--disable-zlib) \ --enable-bundled-libtom @@ -109,24 +114,33 @@ CONFIGURE_ARGS += \ # adjust allowed shell list (if getusershell(3) is missing): # - COMPAT_USER_SHELLS -# remove protocol idented software version number: -# - LOCAL_IDENT -# disable legacy/unsafe methods and unused functionality: -# - DROPBEAR_CLI_NETCAT -# - DROPBEAR_DSS +# remove version number from protocol ident: +# - IDENT_VERSION_PART +# disable unused functionality: # - DO_MOTD -# - DROPBEAR_DH_GROUP14_SHA1 -# - DROPBEAR_SHA1_HMAC + DB_OPT_COMMON = \ - !!LOCAL_IDENT,"SSH-2.0-dropbear" \ + IDENT_VERSION_PART,"" \ COMPAT_USER_SHELLS,"/bin/ash","/bin/sh" \ DEFAULT_PATH,"$(TARGET_INIT_PATH)" \ DEFAULT_ROOT_PATH,"$(TARGET_INIT_PATH)" \ - DROPBEAR_DSS,0 \ - DROPBEAR_CLI_NETCAT,0 \ DO_MOTD,0 \ - DROPBEAR_DH_GROUP14_SHA1,0 \ - DROPBEAR_SHA1_HMAC,0 \ + AUTH_TIMEOUT,$(CONFIG_DROPBEAR_AUTH_TIMEOUT) \ + DEBUG_TRACE,$(CONFIG_DROPBEAR_DEBUG_TRACE) \ + DEFAULT_IDLE_TIMEOUT,$(CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT) \ + DEFAULT_KEEPALIVE_LIMIT,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT) \ + DEFAULT_KEEPALIVE,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE) \ + DEFAULT_RECV_WINDOW,$(CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW) \ + KEX_REKEY_DATA,$(CONFIG_DROPBEAR_KEX_REKEY_DATA) \ + KEX_REKEY_TIMEOUT,$(CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT) \ + MAX_AUTH_TRIES,$(CONFIG_DROPBEAR_MAX_AUTH_TRIES) \ + MAX_UNAUTH_CLIENTS,$(CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS) \ + MAX_UNAUTH_PER_IP,$(CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP) \ + UNAUTH_CLOSE_DELAY,$(CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY) \ + $(if $(CONFIG_DROPBEAR_RSA),DROPBEAR_DEFAULT_RSA_SIZE$(comma)$(CONFIG_DROPBEAR_DEFAULT_RSA_SIZE)) \ + $(if $(CONFIG_DROPBEAR_LASTLOG),LASTLOG_FILE$(comma)$(CONFIG_DROPBEAR_LASTLOG_FILE)) \ + $(if $(CONFIG_DROPBEAR_UTMP),UTMP_FILE$(comma)$(CONFIG_DROPBEAR_UTMP_FILE)) \ + $(if $(CONFIG_DROPBEAR_WTMP),WTMP_FILE$(comma)$(CONFIG_DROPBEAR_WTMP_FILE)) \ ############################################################################## @@ -139,24 +153,61 @@ DB_OPT_COMMON = \ ############################################################################## DB_OPT_CONFIG = \ - !!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_FULL,1,0 \ - !!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_FULL,1,0 \ - DROPBEAR_CURVE25519,CONFIG_DROPBEAR_CURVE25519,1,0 \ + !!DROPBEAR_CLI_MULTIHOP,CONFIG_DROPBEAR_CLI_MULTIHOP,1,0 \ + !!DROPBEAR_ECC_256,CONFIG_DROPBEAR_ECC_256,1,0 \ + !!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_384,1,0 \ + !!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_521,1,0 \ + DO_HOST_LOOKUP,CONFIG_DROPBEAR_DO_HOST_LOOKUP,1,0 \ + DROPBEAR_3DES,CONFIG_DROPBEAR_3DES,1,0 \ + DROPBEAR_AES128,CONFIG_DROPBEAR_AES128,1,0 \ + DROPBEAR_AES256,CONFIG_DROPBEAR_AES256,1,0 \ DROPBEAR_CHACHA20POLY1305,CONFIG_DROPBEAR_CHACHA20POLY1305,1,0 \ + DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_CLI_AGENTFWD,1,0 \ + DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_CLI_ASKPASS_HELPER,1,0 \ + DROPBEAR_CLI_IMMEDIATE_AUTH,CONFIG_DROPBEAR_CLI_IMMEDIATE_AUTH,1,0 \ + DROPBEAR_CLI_LOCALTCPFWD,CONFIG_DROPBEAR_CLI_LOCALTCPFWD,1,0 \ + DROPBEAR_CLI_NETCAT,CONFIG_DROPBEAR_CLI_NETCAT,1,0 \ + DROPBEAR_CLI_PROXYCMD,CONFIG_DROPBEAR_CLI_PROXYCMD,1,0 \ + DROPBEAR_CLI_REMOTETCPFWD,CONFIG_DROPBEAR_CLI_REMOTETCPFWD,1,0 \ + DROPBEAR_CURVE25519,CONFIG_DROPBEAR_CURVE25519,1,0 \ + DROPBEAR_DELAY_HOSTKEY,CONFIG_DROPBEAR_DELAY_HOSTKEY,1,0 \ + DROPBEAR_DH_GROUP1,CONFIG_DROPBEAR_DH_GROUP1,1,0 \ + DROPBEAR_DH_GROUP1_CLIENTONLY,CONFIG_DROPBEAR_DH_GROUP1_CLIENTONLY,1,0 \ + DROPBEAR_DH_GROUP14_SHA1,CONFIG_DROPBEAR_DH_GROUP14_SHA1,1,0 \ + DROPBEAR_DH_GROUP14_SHA256,CONFIG_DROPBEAR_DH_GROUP14_SHA256,1,0 \ + DROPBEAR_DH_GROUP16,CONFIG_DROPBEAR_DH_GROUP16,1,0 \ + DROPBEAR_DSS,CONFIG_DROPBEAR_DSS,1,0 \ + DROPBEAR_ECDH,CONFIG_DROPBEAR_ECDH,1,0 \ + DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECDSA,1,0 \ DROPBEAR_ED25519,CONFIG_DROPBEAR_ED25519,1,0 \ - DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECC,1,0 \ - DROPBEAR_ECDH,CONFIG_DROPBEAR_ECC,1,0 \ - DROPBEAR_SK_KEYS,CONFIG_DROPBEAR_U2F,1,0 \ - DROPBEAR_SK_ECDSA,CONFIG_DROPBEAR_ECDSA_SK,1,0 \ - DROPBEAR_SK_ED25519,CONFIG_DROPBEAR_ED25519_SK,1,0 \ - DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \ - DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \ - DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \ - DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ - DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ - DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ - DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ - DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ + DROPBEAR_ENABLE_CBC_MODE,CONFIG_DROPBEAR_ENABLE_CBC_MODE,1,0 \ + DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_ENABLE_CTR_MODE,1,0 \ + DROPBEAR_ENABLE_GCM_MODE,CONFIG_DROPBEAR_ENABLE_GCM_MODE,1,0 \ + DROPBEAR_MLKEM768,CONFIG_DROPBEAR_MLKEM768,1,0 \ + DROPBEAR_REEXEC,CONFIG_DROPBEAR_REEXEC,1,0 \ + DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_RSA_SHA1,1,0 \ + DROPBEAR_RSA,CONFIG_DROPBEAR_RSA,1,0 \ + DROPBEAR_SFTPSERVER,CONFIG_DROPBEAR_SFTPSERVER,1,0 \ + DROPBEAR_SHA1_96_HMAC,CONFIG_DROPBEAR_SHA1_96_HMAC,1,0 \ + DROPBEAR_SHA1_HMAC,CONFIG_DROPBEAR_SHA1_HMAC,1,0 \ + DROPBEAR_SHA2_256_HMAC,CONFIG_DROPBEAR_SHA2_256_HMAC,1,0 \ + DROPBEAR_SHA2_512_HMAC,CONFIG_DROPBEAR_SHA2_512_HMAC,1,0 \ + DROPBEAR_SK_ECDSA,CONFIG_DROPBEAR_SK_ECDSA,1,0 \ + DROPBEAR_SK_ED25519,CONFIG_DROPBEAR_SK_ED25519,1,0 \ + DROPBEAR_SK_KEYS,CONFIG_DROPBEAR_SK_KEYS,1,0 \ + DROPBEAR_SMALL_CODE,CONFIG_DROPBEAR_SMALL_CODE,1,0 \ + DROPBEAR_SNTRUP761,CONFIG_DROPBEAR_SNTRUP761,1,0 \ + DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_SVR_AGENTFWD,1,0 \ + DROPBEAR_SVR_LOCALSTREAMFWD,CONFIG_DROPBEAR_SVR_LOCALSTREAMFWD,1,0 \ + DROPBEAR_SVR_LOCALTCPFWD,CONFIG_DROPBEAR_SVR_LOCALTCPFWD,1,0 \ + DROPBEAR_SVR_PUBKEY_OPTIONS,CONFIG_DROPBEAR_SVR_PUBKEY_OPTIONS,1,0 \ + DROPBEAR_SVR_REMOTETCPFWD,CONFIG_DROPBEAR_SVR_REMOTETCPFWD,1,0 \ + DROPBEAR_USE_PASSWORD_ENV,CONFIG_DROPBEAR_USE_PASSWORD_ENV,1,0 \ + DROPBEAR_USE_SSH_CONFIG,CONFIG_DROPBEAR_USE_SSH_CONFIG,1,0 \ + DROPBEAR_USER_ALGO_LIST,CONFIG_DROPBEAR_USER_ALGO_LIST,1,0 \ + DROPBEAR_X11FWD,CONFIG_DROPBEAR_X11FWD,1,0 \ + INETD_MODE,CONFIG_DROPBEAR_INETD_MODE,1,0 \ + LOG_COMMANDS,CONFIG_DROPBEAR_LOG_COMMANDS,1,0 \ TARGET_CFLAGS += -DARGTYPE=3 diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init index 11e89340db3..2f5d9698eba 100755 --- a/package/network/services/dropbear/files/dropbear.init +++ b/package/network/services/dropbear/files/dropbear.init @@ -177,7 +177,7 @@ validate_section_dropbear() 'SSHKeepAlive:uinteger:300' \ 'IdleTimeout:uinteger:0' \ 'MaxAuthTries:uinteger:3' \ - 'RecvWindowSize:uinteger:262144' \ + 'RecvWindowSize:uinteger:0' \ 'mdns:bool:1' }