diff options
-rwxr-xr-x | build | 1 | ||||
-rw-r--r-- | changelog | 9 | ||||
-rw-r--r-- | localoptions.h | 24 |
3 files changed, 34 insertions, 0 deletions
@@ -9,6 +9,7 @@ build: chmod a+rx src oh-autoconfigure -- \ --disable-bundled-libtom + cp ../localoptions.h src/localoptions.h oh-autobuild -- \ PROGRAMS='dropbear dbclient dropbearkey scp' \ MULTI=1 \ @@ -3,6 +3,15 @@ dropbear (2019.78-1) trunk * New upstream version. * Update Maintainer field. * Build against new libtommath.1-dev. + * The following weak algorithms (enabled by default upstream) are now + disabled: + - Triple DES cipher + - CBC block cipher mode + - SHA-1 message hashing + - DSA keys + - 1024-bit SHA-1 key exchange + * Server password authentication is now disabled. Public keys are required. + * The contents of "/etc/motd" are now sent to clients. -- Patrick McDermott <patrick.mcdermott@libiquity.com> Sat, 01 Jun 2019 10:36:58 -0400 diff --git a/localoptions.h b/localoptions.h new file mode 100644 index 0000000..941863a --- /dev/null +++ b/localoptions.h @@ -0,0 +1,24 @@ +/* Non-inetd mode enables protections like MAX_UNAUTH_PER_IP and + * MAX_AUTH_CLIENTS. */ +#define INETD_MODE 0 + +/* ProteanOS will likely never have X11. */ +#define DROPBEAR_X11FWD 0 + +/* Disable weak algorithms. Most if not all of these are removed from newer + * OpenSSH versions, but Dropbear leaves them enabled by default(!). */ +#define DROPBEAR_3DES 0 /* Triple DES cipher */ +#define DROPBEAR_ENABLE_CBC_MODE 0 /* CBC block cipher mode */ +#define DROPBEAR_SHA1_HMAC 0 /* SHA-1 message hashing */ +#define DROPBEAR_SHA1_96_HMAC 0 /* SHA-1 message hashing */ +#define DROPBEAR_DSS 0 /* 1024-bit DSA keys */ +#define DROPBEAR_DH_GROUP1 0 /* 1024-bit SHA-1 key exchange */ + +/* Send beautiful ASCII art from "/etc/motd". */ +#define DO_MOTD 1 + +/* Disable server password authentication, requiring public keys instead. */ +#define DROPBEAR_SVR_PASSWORD_AUTH 0 + +/* Disable use of an SFTP server (not provided by Dropbear). */ +#define DROPBEAR_SFTPSERVER 0 |