From ddc7c8fb8a37b64ef5c94c0f873fe48a71512d4a Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Sat, 01 Jun 2019 17:44:10 -0400
Subject: localoptions.h: New file

---
diff --git a/build b/build
index 88c0c26..5260192 100755
--- a/build
+++ b/build
@@ -9,6 +9,7 @@ build:
 	chmod a+rx src
 	oh-autoconfigure -- \
 		--disable-bundled-libtom
+	cp ../localoptions.h src/localoptions.h
 	oh-autobuild -- \
 		PROGRAMS='dropbear dbclient dropbearkey scp' \
 		MULTI=1 \
diff --git a/changelog b/changelog
index 70e1cdf..5beab60 100644
--- a/changelog
+++ b/changelog
@@ -3,6 +3,15 @@ dropbear (2019.78-1) trunk
   * New upstream version.
   * Update Maintainer field.
   * Build against new libtommath.1-dev.
+  * The following weak algorithms (enabled by default upstream) are now
+    disabled:
+    - Triple DES cipher
+    - CBC block cipher mode
+    - SHA-1 message hashing
+    - DSA keys
+    - 1024-bit SHA-1 key exchange
+  * Server password authentication is now disabled.  Public keys are required.
+  * The contents of "/etc/motd" are now sent to clients.
 
  -- Patrick McDermott <patrick.mcdermott@libiquity.com>  Sat, 01 Jun 2019 10:36:58 -0400
 
diff --git a/localoptions.h b/localoptions.h
new file mode 100644
index 0000000..941863a
--- /dev/null
+++ b/localoptions.h
@@ -0,0 +1,24 @@
+/* Non-inetd mode enables protections like MAX_UNAUTH_PER_IP and
+ * MAX_AUTH_CLIENTS. */
+#define INETD_MODE 0
+
+/* ProteanOS will likely never have X11. */
+#define DROPBEAR_X11FWD 0
+
+/* Disable weak algorithms.  Most if not all of these are removed from newer
+ * OpenSSH versions, but Dropbear leaves them enabled by default(!). */
+#define DROPBEAR_3DES 0             /* Triple DES cipher */
+#define DROPBEAR_ENABLE_CBC_MODE 0  /* CBC block cipher mode */
+#define DROPBEAR_SHA1_HMAC 0        /* SHA-1 message hashing */
+#define DROPBEAR_SHA1_96_HMAC 0     /* SHA-1 message hashing */
+#define DROPBEAR_DSS 0              /* 1024-bit DSA keys */
+#define DROPBEAR_DH_GROUP1 0        /* 1024-bit SHA-1 key exchange */
+
+/* Send beautiful ASCII art from "/etc/motd". */
+#define DO_MOTD 1
+
+/* Disable server password authentication, requiring public keys instead. */
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
+
+/* Disable use of an SFTP server (not provided by Dropbear). */
+#define DROPBEAR_SFTPSERVER 0
--
cgit v0.9.1