summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McDermott <patrick.mcdermott@libiquity.com>2019-06-01 17:44:10 (EDT)
committer Patrick McDermott <patrick.mcdermott@libiquity.com>2019-06-01 17:44:10 (EDT)
commitddc7c8fb8a37b64ef5c94c0f873fe48a71512d4a (patch)
tree39d915ad43db8a1b59567982bcaa2c0187841f53
parent22f788e92e1485cc2109dc0ee1567a21a1490e08 (diff)
localoptions.h: New file
-rwxr-xr-xbuild1
-rw-r--r--changelog9
-rw-r--r--localoptions.h24
3 files changed, 34 insertions, 0 deletions
diff --git a/build b/build
index 88c0c26..5260192 100755
--- a/build
+++ b/build
@@ -9,6 +9,7 @@ build:
chmod a+rx src
oh-autoconfigure -- \
--disable-bundled-libtom
+ cp ../localoptions.h src/localoptions.h
oh-autobuild -- \
PROGRAMS='dropbear dbclient dropbearkey scp' \
MULTI=1 \
diff --git a/changelog b/changelog
index 70e1cdf..5beab60 100644
--- a/changelog
+++ b/changelog
@@ -3,6 +3,15 @@ dropbear (2019.78-1) trunk
* New upstream version.
* Update Maintainer field.
* Build against new libtommath.1-dev.
+ * The following weak algorithms (enabled by default upstream) are now
+ disabled:
+ - Triple DES cipher
+ - CBC block cipher mode
+ - SHA-1 message hashing
+ - DSA keys
+ - 1024-bit SHA-1 key exchange
+ * Server password authentication is now disabled. Public keys are required.
+ * The contents of "/etc/motd" are now sent to clients.
-- Patrick McDermott <patrick.mcdermott@libiquity.com> Sat, 01 Jun 2019 10:36:58 -0400
diff --git a/localoptions.h b/localoptions.h
new file mode 100644
index 0000000..941863a
--- /dev/null
+++ b/localoptions.h
@@ -0,0 +1,24 @@
+/* Non-inetd mode enables protections like MAX_UNAUTH_PER_IP and
+ * MAX_AUTH_CLIENTS. */
+#define INETD_MODE 0
+
+/* ProteanOS will likely never have X11. */
+#define DROPBEAR_X11FWD 0
+
+/* Disable weak algorithms. Most if not all of these are removed from newer
+ * OpenSSH versions, but Dropbear leaves them enabled by default(!). */
+#define DROPBEAR_3DES 0 /* Triple DES cipher */
+#define DROPBEAR_ENABLE_CBC_MODE 0 /* CBC block cipher mode */
+#define DROPBEAR_SHA1_HMAC 0 /* SHA-1 message hashing */
+#define DROPBEAR_SHA1_96_HMAC 0 /* SHA-1 message hashing */
+#define DROPBEAR_DSS 0 /* 1024-bit DSA keys */
+#define DROPBEAR_DH_GROUP1 0 /* 1024-bit SHA-1 key exchange */
+
+/* Send beautiful ASCII art from "/etc/motd". */
+#define DO_MOTD 1
+
+/* Disable server password authentication, requiring public keys instead. */
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
+
+/* Disable use of an SFTP server (not provided by Dropbear). */
+#define DROPBEAR_SFTPSERVER 0