[openwrt/openwrt] dropbear: refactor configuration
LEDE Commits
lede-commits at lists.infradead.org
Fri Jul 11 02:23:58 PDT 2025
aparcar pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/d8ff2d8cba7c90d7d77c493cf585142758346009
commit d8ff2d8cba7c90d7d77c493cf585142758346009
Author: Konstantin Demin <rockdrilla at gmail.com>
AuthorDate: Tue Jul 8 19:12:26 2025 +0300
dropbear: refactor configuration
This allows to fine-tune dropbear build options.
This change is heavily based on similar work done by Marius Dinu earlier
so I'd like to say many thanks to original author.
Signed-off-by: Konstantin Demin <rockdrilla at gmail.com>
---
package/network/services/dropbear/Config.in | 1212 +++++++++++++++++---
package/network/services/dropbear/Makefile | 137 ++-
.../network/services/dropbear/files/dropbear.init | 2 +-
3 files changed, 1179 insertions(+), 172 deletions(-)
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index 0d012b21b0..c5737c05ca 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -1,196 +1,1152 @@
-menu "Configuration"
- depends on PACKAGE_dropbear
+if PACKAGE_dropbear
-config DROPBEAR_CURVE25519
- bool "Curve25519 support"
+## <GENERIC>
+comment "Generic options"
+
+config DROPBEAR_STATIC_BUILD
+ bool "Build static binaries"
+ depends on DEVEL
+ help
+ Build all programs as statically linked.
+
+ Default: disabled.
+
+config DROPBEAR_LEGACY_COMPAT
+ bool "Enable legacy options and features"
+ ## TODO: remove "default y" in 2026
default y
help
- This enables the following key exchange algorithm:
- curve25519-sha256 at libssh.org
+ Enable legacy options to be accessible.
- Increases binary size by about 4 kB (MIPS).
+ This enables options which are improve backward compatibility
+ but are also known to have negative security impact.
-config DROPBEAR_ECC
- bool "Elliptic curve cryptography (ECC)"
+ Default: enabled.
+
+config DROPBEAR_SMALL_CODE
+ bool "Small code"
+ default y
help
- Enables basic support for elliptic curve cryptography (ECC)
- in key exchange and public key authentication.
+ Reduces binary size by several KB but makes the symmetrical ciphers and hashes slower (perhaps by 50%).
- Key exchange algorithms:
- ecdh-sha2-nistp256
+ Default: enabled.
- Public key algorithms:
- ecdsa-sha2-nistp256
+config DROPBEAR_DEBUG_TRACE
+ int "Verbose debug log level"
+ range 0 5
+ default 0
+ help
+ Define how much debug output is compiled in.
- Increases binary size by about 24 kB (MIPS).
+ * 0 = No verbose debug (default)
+ * 1-3 = approx 4 Kb (connection, remote identity, algos, auth type info)
+ * 4 = approx 17 Kb (detailed before connection)
+ * 5 = approx 8 Kb (detailed after connection)
- Note: select DROPBEAR_ECC_FULL if full ECC support is required.
+ Debug is enabled with -v at runtime. Repeat to increase.
-config DROPBEAR_ECC_FULL
- bool "Elliptic curve cryptography (ECC), full support"
- depends on DROPBEAR_ECC
+ Default: 0.
+
+config DROPBEAR_LOG_COMMANDS
+ bool "Log commands"
help
- Enables full support for elliptic curve cryptography (ECC)
- in key exchange and public key authentication.
+ Log the initial command sent by the clients.
- Key exchange algorithms:
- ecdh-sha2-nistp256 (*)
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
+ This does not include all shell / scp / sftp commands that a user executes
+ during a session.
- Public key algorithms:
- ecdsa-sha2-nistp256 (*)
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
+ Default: disabled.
- (*) - basic ECC support; provided by DROPBEAR_ECC.
+config DROPBEAR_INETD_MODE
+ bool "inetd mode"
+ help
+ Allow Dropbear server to be started on-demand by inetd superserver.
- Increases binary size by about 4 kB (MIPS).
+ OpenWrt starts Dropbear as daemon.
-config DROPBEAR_ED25519
- bool "Ed25519 support"
- default y if !SMALL_FLASH
+ Default: disabled.
+
+## </GENERIC>
+
+## <LOGIN OPTIONS>
+comment "Login options"
+
+config DROPBEAR_DO_HOST_LOOKUP
+ bool "Reverse DNS"
help
- This enables the following public key algorithm:
- ssh-ed25519
+ Whether to do reverse DNS lookups of incoming connection IP addresses
+ and report the DNS name in the log.
- Increases binary size by about 12 kB (MIPS).
+ Warning: If the system is under attack from many IP addresses,
+ this will flood the DNS servers too.
-config DROPBEAR_CHACHA20POLY1305
- bool "Chacha20-Poly1305 support"
+ Default: disabled.
+
+config DROPBEAR_SVR_PUBKEY_OPTIONS
+ bool "Options in authorized_keys file"
default y
help
- This enables the following authenticated encryption cipher:
- chacha20-poly1305 at openssh.com
+ Whether to take into account the key options in authorized_keys file.
- Increases binary size by about 4 kB (MIPS).
+ Supported options are:
+ * no-port-forwarding
+ * no-agent-forwarding
+ * no-X11-forwarding
+ * no-pty
+ * restrict
+ * permitopen="host:port"
+ * command="forced_command"
-config DROPBEAR_U2F
- bool "U2F/FIDO support"
- default y
+ If DROPBEAR_SK_KEYS is enabled then following options are supported too:
+ * no-touch-required
+ * verify-required
+
+ These options are documented in Dropbear man page (not installed).
+
+ Default: enabled.
+
+config DROPBEAR_LASTLOG
+ bool "Write lastlog"
help
- This option itself doesn't enable any support for U2F/FIDO
- but subordinate options do:
+ /var/log/lastlog is a record of the last login of each user.
+ To view the last login, use "lastlog" command (OpenWrt package shadow-lastlog).
- - DROPBEAR_ECDSA_SK - ecdsa-sk keys support
- depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)")
- - DROPBEAR_ED25519_SK - ed25519-sk keys support
- depends on DROPBEAR_ED25519 ("Ed25519 support")
+ If enabled, Drobear will update it with SSH logins.
+ If disabled, SSH logins will not be recorded.
-config DROPBEAR_ECDSA_SK
- bool "ECDSA-SK support"
- default y
- depends on DROPBEAR_U2F && DROPBEAR_ECC
+ Warning: The lastlog record is considered a security and privacy risk by some.
+
+ Default: disabled.
+
+config DROPBEAR_LASTLOG_PATH
+ string "lastlog path:"
+ default "/var/log/lastlog"
+ depends on DROPBEAR_LASTLOG
help
- This enables the following public key algorithm:
- sk-ecdsa-sha2-nistp256 at openssh.com
+ Default: /var/log/lastlog
-config DROPBEAR_ED25519_SK
- bool "Ed25519-SK support"
- default y
- depends on DROPBEAR_U2F && DROPBEAR_ED25519
+config DROPBEAR_WTMP
+ bool "Write wtmp"
help
- This enables the following public key algorithm:
- sk-ssh-ed25519 at openssh.com
+ /var/log/wtmp is a record of all previous logins.
+ The file needs to be manually created - Dropbear will update it only if it already exists.
+ To view login history, use "last" command, available in Busybox but not included by default.
-config DROPBEAR_ZLIB
- bool "Enable compression"
+ If enabled, Dropbear will add SSH logins to the record.
+ If disabled, SSH logins will not be recorded.
+
+ Warning: The wtmp record is considered a security and privacy risk by some.
+
+ Default: disabled.
+
+config DROPBEAR_WTMP_PATH
+ string "wtmp path:"
+ default "/var/log/wtmp"
+ depends on DROPBEAR_WTMP
help
- Enables compression using shared zlib library.
+ Default: /var/log/wtmp
- Increases binary size by about 0.1 kB (MIPS) and requires
- additional 62 kB (MIPS) for a shared zlib library.
+# ---- MUSL UTMP ----
+# In musl, pututline() and related functions are all stubs, and login(), logout() and ttyslot() don't exist.
+# In Dropbear there is an option to write to utmp directly, but it uses ttyslot().
+# So, there is currently no way to make utmp work with musl.
+# Revisit this if/when Dropbear implements ttyslot() or an independent utmp direct write.
+comment "* note: utmp is unavailable with musl libc"
+ depends on USE_MUSL
config DROPBEAR_UTMP
- bool "Utmp support"
- depends on BUSYBOX_CONFIG_FEATURE_UTMP
+ bool "Write utmp"
+ depends on !USE_MUSL
help
- This enables dropbear utmp support, the file /var/run/utmp is
- used to track who is currently logged in.
+ /var/run/utmp is a record of currently logged-in users.
+ To view logged-in users, use "w", "who" or "users" commands.
-config DROPBEAR_PUTUTLINE
- bool "Pututline support"
+ If enabled, Dropbear will keep it updated with users that log in via SSH.
+ If disabled, SSH logins will not be recorded.
+
+ Warning: The utmp record is considered a security and privacy risk by some.
+
+ Default: disabled.
+
+config DROPBEAR_UTMP_PATH
+ string "utmp path:"
+ default "/var/run/utmp"
depends on DROPBEAR_UTMP
help
- Dropbear will use pututline() to write the utmp structure into
- the utmp file.
+ Default: /var/run/utmp
+
+# musl pututline() and related functions are all stubs.
+config DROPBEAR_PUTUTLINE
+ bool "Use pututline() to write to utmp"
+ default y if !DROPBEAR_LOGINFUNC
+ depends on !USE_MUSL && !DROPBEAR_LOGINFUNC && DROPBEAR_UTMP
+ help
+ If enabled, Dropbear will use pututline() to write into the utmp file.
+ If disabled, Dropbear will write to utmp file directly.
+
+ Consider using login() and logout() functions via DROPBEAR_LOGINFUNC option if available.
+
+ Default: enabled if DROPBEAR_UTMP is enabled.
+
+# musl doesn't have login() and logout()
+config DROPBEAR_LOGINFUNC
+ bool "Use login() and logout() functions"
+ depends on !USE_MUSL
+ select DROPBEAR_UTMP
+ select DROPBEAR_WTMP
+ help
+ If enabled, Dropbear will use login() and logout() functions to record logins in utmp and wtmp files.
+ If disabled, see DROPBEAR_UTMP and DROPBEAR_WTMP options.
+
+ Default: disabled.
+
+## </LOGIN OPTIONS>
+
+## <FEATURES>
+comment "Features"
+
+config DROPBEAR_REEXEC
+ bool "ASLR for each connection"
+ default y if !LOW_MEMORY_FOOTPRINT
+ help
+ Dropbear will re-execute itself for each incoming connection
+ so that memory layout may be re-randomised (ASLR).
+ Exploiting Dropbear vulnerabilities becomes harder
+ but uses slightly more memory per connection.
-config DROPBEAR_DBCLIENT
- bool "Build dropbear with dbclient"
+ Default: enabled, except devices with very low memory.
+
+config DROPBEAR_ZLIB
+ bool "Compression"
+ select PACKAGE_zlib
+ help
+ Enable support for compression using shared zlib library.
+
+ Compression slows down transfer speed, especially on low-power CPUs
+ found in routers, but may increase speed over slow network links
+ if the CPU is fast enough to handle both compression and encryption
+ at network speed.
+
+ Default: disabled.
+
+config DROPBEAR_DELAY_HOSTKEY
+ bool "Auto-generate host keys (-R)"
default y
+ help
+ Add command line argument "-R" to generate hostkeys as-needed
+ when the first connection using that key type occurs.
-config DROPBEAR_ASKPASS
- bool "Enable askpass helper support"
- depends on DROPBEAR_DBCLIENT
+ This avoids the need to otherwise run "dropbearkey" and avoids
+ some problems with badly seeded /dev/urandom when systems first boot.
+
+ Default: enabled.
+
+config DROPBEAR_SVR_AGENTFWD
+ bool "Authentication agent forwarding [SECURITY]"
+ default y
help
- This enables support for ssh-askpass helper in dropbear client
- in order to authenticate on remote hosts.
+ Enables support for authentication agent forwarding.
- Increases binary size by about 0.1 kB (MIPS).
+ Server only: see DROPBEAR_CLI_AGENTFWD for client.
-config DROPBEAR_DBCLIENT_AGENTFORWARD
- bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
+ This allows the use of local client keys to run a second ssh client to connect from the server to another server, without the need to install the keys on the fist server too.
+
+ Common example: ssh to a server and use git on that server to push to github using local ssh keys, not the keys installed on the server.
+
+ Default: enabled.
+
+ SECURITY NOTES:
+
+ SSH agent forwarding might cause security issues (locally and on the server).
+
+ Hovewer, it's enabled by default for compatibility with previous OpenWrt/Dropbear releases.
+
+config DROPBEAR_SVR_REMOTETCPFWD
+ bool "Remote port forwarding: server -> client"
+ default y
+ help
+ Support remote port forwarding.
+
+ Server listens and forwards connections to client.
+ Server only; see DROPBEAR_CLI_REMOTETCPFWD for client.
+
+ Default: enabled.
+
+config DROPBEAR_SVR_LOCALTCPFWD
+ bool "Local port forwarding: client -> server"
+ default y
+ help
+ Support local port forwarding.
+
+ Client listens and forwards connections to server.
+ Server only; see DROPBEAR_CLI_LOCALTCPFWD for client.
+
+ Default: enabled.
+
+config DROPBEAR_SVR_LOCALSTREAMFWD
+ bool "Local port forwarding: client TCP socket -> server unix socket"
default y
- depends on DROPBEAR_DBCLIENT
help
- Increases binary size by about 0.1 kB (MIPS).
+ Support local port forwarding to unix sockets.
- Security notes:
+ Client listens and forwards connections to unix socket on server side.
+ Server only.
- SSH agent forwarding might cause security issues (locally and
- on the jump machine).
+ Default: enabled.
- Hovewer, it's enabled by default for compatibility with
- previous OpenWrt/dropbear releases.
+config DROPBEAR_X11FWD
+ bool "X11 forwarding"
+ help
+ Supports X11 forwarding.
- Consider DISABLING this option if you're building own OpenWrt
- image.
+ OpenWrt doesn't have any Xorg programs by default.
+ Server only.
- Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
- server itself).
+ Default: disabled.
config DROPBEAR_SCP
- bool "Build dropbear with scp"
+ bool "SCP file transfer program"
default y
+ help
+ Include the SCP file transfer program.
-config DROPBEAR_AGENTFORWARD
- bool "Enable agent forwarding [LEGACY/SECURITY]"
+ Default: enabled.
+
+config DROPBEAR_SFTPSERVER
+ bool "Support external SFTP server"
+ default y if !SMALL_FLASH
+ help
+ Enable running a SFTP server (such as the one included with OpenSSH).
+ The SFTP server program is not provided by Dropbear itself.
+ SFTP server must be installed as /usr/libexec/sftp-server
+
+ Default: enabled, except devices with very small flash.
+
+## </FEATURES>
+
+## <CLIENT>
+menuconfig DROPBEAR_DBCLIENT
+ bool "dbclient (Dropbear SSH client)"
default y
help
- Increases binary size by about 0.1 kB (MIPS).
+ Build dbclient, the Dropbear SSH client.
- Security notes:
+ Default: enabled.
- SSH agent forwarding might cause security issues (locally and
- on the jump machine).
+ if DROPBEAR_DBCLIENT
- Hovewer, it's enabled by default for compatibility with
- previous OpenWrt/dropbear releases.
+ config DROPBEAR_USER_ALGO_LIST
+ bool "Let user choose ciphers and MACs"
+ default y
+ help
+ Adds dbclient "-c" and "-m" command line options.
- Consider DISABLING this option if you're building own OpenWrt
- image.
+ Allows using "-c <cipher list>" and/or "-m <MAC list>"
+ to choose preferred ciphers and MACs.
- Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
- dropbear client) if DROPBEAR_DBCLIENT is selected.
+ Run "dbclient -c help" to list supported ciphers
+ and "dbclient -m help" to list supported MACs.
-config DROPBEAR_MODERN_ONLY
- bool "Use modern crypto only [BREAKS COMPATIBILITY]"
- select DROPBEAR_ED25519
- select DROPBEAR_CURVE25519
- select DROPBEAR_CHACHA20POLY1305
- help
- This option enables:
- - Chacha20-Poly1305
- - Curve25519
- - Ed25519
- and disables:
- - AES
- - RSA
+ Default: enabled.
+
+ config DROPBEAR_USE_SSH_CONFIG
+ bool "Use ssh_config"
+ help
+ Whether to use some options from ~/.ssh/dropbear_config.
+
+ Supported top-most option is "Host" (no "Match" support is present).
+
+ Supported options for "Host" are:
+ * Hostname
+ * Port
+ * User
+ * IdentityFile
+
+ These options are well-documented in ssh_config(5) man page.
+
+ Default: disabled.
+
+ config DROPBEAR_CLI_IMMEDIATE_AUTH
+ bool "Send auth request immediately [COMPATIBILITY]"
+ help
+ Save a network roundtrip by sending a real auth request
+ immediately after sending a query for the available methods.
+
+ This is not yet enabled by default since it could
+ cause problems with non-compliant servers.
+
+ Default: disabled.
+
+ config DROPBEAR_USE_PASSWORD_ENV
+ bool "Use env password"
+ default y
+ help
+ Allow specifying the password for dbclient via the DROPBEAR_PASSWORD environment variable.
+
+ Default: enabled.
+
+ config DROPBEAR_CLI_ASKPASS_HELPER
+ bool "Support askpass helper"
+ help
+ Allow the use of a helper program for the ssh client.
+
+ The helper program should be specified in the SSH_ASKPASS environment variable,
+ and dbclient should be run with DISPLAY set and no tty.
+ The program should return the password on standard output.
+
+ Default: disabled.
+
+ config DROPBEAR_CLI_AGENTFWD
+ bool "Authentication agent forwarding [SECURITY]"
+ default y
+ help
+ Enables support for authentication agent forwarding.
+
+ Client only: see DROPBEAR_SVR_AGENTFWD for server.
+
+ This allows the use of local client keys to run a second ssh client
+ to connect from the server to another server, without the need to install
+ the keys on the first server too.
+
+ Common example: ssh to a server and use git on that server to push to
+ github using local ssh keys, not the keys installed on the server.
+
+ Default: enabled.
+
+ SECURITY NOTES:
+
+ SSH agent forwarding might cause security issues (locally and on the server).
+
+ Hovewer, it's enabled by default for compatibility with previous OpenWrt/Dropbear releases.
+
+ config DROPBEAR_CLI_LOCALTCPFWD
+ bool "Local port forwarding (-L)"
+ default y
+ help
+ Support local port forwarding.
+
+ Client listens and forwards connections to server.
+
+ Client only; see DROPBEAR_SVR_LOCALTCPFWD for server.
+
+ Default: enabled.
+
+ config DROPBEAR_CLI_REMOTETCPFWD
+ bool "Remote port forwarding (-R)"
+ default y
+ help
+ Support remote port forwarding.
+
+ Server listens and forwards connections to client.
+
+ Client only; see DROPBEAR_SRV_REMOTETCPFWD for server.
+
+ Default: enabled.
+
+ config DROPBEAR_CLI_PROXYCMD
+ bool "Proxy command (-J)"
+ default y
+ help
+ Support "-J <proxycommand>" to run the connection through a pipe
+ to a program rather the normal TCP connection.
+
+ Default: enabled.
+
+ config DROPBEAR_CLI_NETCAT
+ bool "Netcat-alike forwarding (-B)"
+ help
+ Support "-B <endhost:endport>" Netcat-alike forwarding.
+
+ Default: disabled.
+
+ comment "Multi-hop support is unavailable: enable both DROPBEAR_CLI_NETCAT and DROPBEAR_CLI_PROXYCMD"
+ depends on !DROPBEAR_CLI_NETCAT || !DROPBEAR_CLI_PROXYCMD
+
+ config DROPBEAR_CLI_MULTIHOP
+ bool "Multi-hop support"
+ default y
+ depends on DROPBEAR_CLI_NETCAT && DROPBEAR_CLI_PROXYCMD
+ help
+ Support "[user@]host[/port][,[user@]host/port],...]" connections.
+
+ This option is required to support multi-hop connections in Dropbear client as well as DROPBEAR_CLI_PROXYCMD.
+
+ Default: enabled.
+
+ endif
+## </CLIENT>
+
+## <RESOURCE LIMITS>
+menu "Resource limits"
+
+ config DROPBEAR_KEX_REKEY_TIMEOUT
+ int "Rekey limit (seconds)"
+ range 600 604800
+ default 28800
+ help
+ Specifies the maximum amount of time before the session key is renegotiated.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 600 (10 minutes) to 604800 (7 days)
+ Default: 28800 (8 hours)
+
+ config DROPBEAR_KEX_REKEY_DATA
+ int "Rekey limit (bytes)"
+ range 65536 2147418112
+ default 1073741824
+ help
+ Specifies the maximum amount of data that may be transmitted or received
+ before the session key is renegotiated.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 65536 (64 KiB) to 2147418112 (2 GiB - 64 KiB)
+ Default: 1073741824 (1 GiB)
+
+ config DROPBEAR_AUTH_TIMEOUT
+ int "Unauthenticated timeout (seconds)"
+ range 30 3600
+ default 300
+ help
+ Close connections to clients which haven't authenticated after specified timeout.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 30 to 3600 (1 hour)
+ Default: 300 (5 minutes)
+
+ config DROPBEAR_MAX_AUTH_TRIES
+ int "Max. failed authentications"
+ range 1 80
+ default 10
+ help
+ Default maximum number of failed authentication tries (server option).
+
+ This can be changed at run-time with the -T argument.
+
+ Possible values: 1 to 80 (from src/sysoptions.h)
+ Default: 10
+
+ config DROPBEAR_UNAUTH_CLOSE_DELAY
+ int "Delay closing unauth. connections (seconds)"
+ range 0 3600
+ default 0
+ help
+ Delay introduced before closing an unauthenticated session.
+ Can be set to, say 30 seconds, to reduce the speed of password brute forcing.
+
+ There is a risk of denial of service by setting this.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 0 to 3600 (1 hour)
+ Default: 0 (disabled)
+
+ config DROPBEAR_MAX_UNAUTH_PER_IP
+ int "Max. unauthenticated connections per IP"
+ range 1 1024
+ default 5
+ help
+ Specify the number of clients allowed to be connected but not yet authenticated.
+ After this limit, connections are rejected.
+ This setting is per IP, to prevent DoS attacks.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 1 to 1024
+ Default: 5
+
+ config DROPBEAR_MAX_UNAUTH_CLIENTS
+ int "Max. unauthenticated connections (total)"
+ range 1 1024
+ default 30
+ help
+ Specify the number of clients allowed to be connected but not yet authenticated.
+ After this limit, connections are rejected.
+ This setting is the global number, to prevent memory exhaustion
+ when attacks come from different IPs.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 1 to 1024
+ Default: 30
+
+ config DROPBEAR_DEFAULT_RECV_WINDOW
+ int "Default TCP receive window size (bytes)"
+ range 256 10485760
+ default 32768 if LOW_MEMORY_FOOTPRINT
+ default 262144
+ help
+ TCP connections require acknowledgement of received data.
+ Window size is the maximum number of bytes that can be sent
+ on a connection before having to wait for an ACK packet.
+ This amount of memory is allocated as a per-connection receive buffer.
+ Increasing this value can make a significant difference to network performance
+ when SSH is used for large data transfers (SCP, SFTP, tunnels)
+ and the CPU can handle the encryption at network speed.
+
+ This can be changed at run-time with the -W argument.
+
+ Possible values: 256 to 10485760 (10MiB, from src/sysoptions.h)
+ Default: 32768 (32 KiB) for devices with very low memory
+ and 262144 (256 KiB) otherwise.
+
+ config DROPBEAR_DEFAULT_KEEPALIVE
+ int "Default KeepAlive interval (seconds)"
+ range 0 604800
+ default 0
+ help
+ Ensure that data is transmitted every KeepAlive seconds.
+ Applies to both server and client.
- Reduces binary size by about 64 kB (MIPS) from default
- configuration.
+ This can be changed at run-time with the -K argument.
- Consider enabling this option if you're building own OpenWrt
- image and using modern SSH software everywhere.
+ Possible values: 0 to 604800 (7 days)
+ Default: 0 (disabled)
+
+ config DROPBEAR_DEFAULT_KEEPALIVE_LIMIT
+ int "Default KeepAlive limit"
+ range 1 30
+ default 3
+ help
+ If this many KEEPALIVES are sent with no packets received from the other side, disconnect.
+ Applies to both server and client.
+
+ Note: it's not possible to configure this value in run-time.
+
+ Possible values: 1 to 30
+ Default: 3
+
+ config DROPBEAR_DEFAULT_IDLE_TIMEOUT
+ int "Default idle timeout (seconds)"
+ range 0 604800
+ default 0
+ help
+ If no traffic is sent/received in IDLE_TIMEOUT seconds, disconnect.
+ Applies to both server and client.
+
+ Note: values below 30 seconds are not recommended.
+
+ This can be changed at run-time with the -I argument.
+
+ Possible values: 0 to 604800 (7 days)
+ Default: 0 (disabled).
endmenu
+## </RESOURCE LIMITS>
+
+## <ENCRYPTION>
+menu "Encryption options"
+
+ comment "Symmetric-key ciphers:"
+
+ config DROPBEAR_3DES
+ bool "3DES [WEAK]"
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following authenticated encryption cipher:
+ * 3des-ctr - CTR mode
+ * 3des-cbc - CBC mode
+
+ Some very old SSH implementations might only support 3DES.
+ Keeping this cipher enables a downgrade attack on the connection, if the client allows it.
+
+ Default: disabled.
+
+ config DROPBEAR_AES128
+ bool "AES128"
+ default y
+ help
+ This enables the following authenticated encryption cipher:
+ * aes128-gcm at openssh.com - GCM mode
+ * aes128-ctr - CTR mode
+ * aes128-cbc - CBC mode
+
+ Enables AES with 128 bit key size.
+ AES is very secure, but slow. It is preferred on systems with AES hardware acceleration.
+
+ Including both AES keysize variants (128 and 256) will result in a minimal size increase.
+
+ Default: enabled.
+
+ config DROPBEAR_AES256
+ bool "AES256"
+ default y
+ help
+ This enables the following authenticated encryption cipher:
+ * aes256-gcm at openssh.com - GCM mode
+ * aes256-ctr - CTR mode
+ * aes256-cbc - CBC mode
+
+ Enables AES with 256 bit key size.
+ AES is very secure, but slow. It is preferred on systems with AES hardware acceleration.
+
+ Including both AES keysize variants (128 and 256) will result in a minimal size increase.
+
+ Default: enabled.
+
+ config DROPBEAR_CHACHA20POLY1305
+ bool "ChaCha20-Poly1305"
+ default y
+ help
+ This enables the following authenticated encryption cipher:
+ * chacha20-poly1305 at openssh.com
+
+ ChaCha20 is a symmetric-key stream cipher.
+ Poli1305 is hash function used for authentication.
+ ChaCha20-Poly1305 provides both encryption and authentication
+ without any additional cipher modes or MACs.
+
+ These algorithms are generally faster than AES on CPUs without dedicated AES instructions.
+
+ Default: enabled.
+
+ comment "WARNING! At least one cipher must be selected."
+ depends on !DROPBEAR_3DES && !DROPBEAR_AES128 && !DROPBEAR_AES256 && !DROPBEAR_CHACHA20POLY1305
+
+ ## <CIPHER MODE>
+ if DROPBEAR_3DES || DROPBEAR_AES128 || DROPBEAR_AES256
+
+ comment "Cipher modes:"
+
+ config DROPBEAR_ENABLE_CTR_MODE
+ bool "CTR, Counter mode"
+ default y
+ help
+ This enables the following authenticated encryption cipher:
+ * 3des-ctr - 3DES
+ * aes128-ctr - AES128
+ * aes256-ctr - AES256
+
+ Default: enabled.
+
+ config DROPBEAR_ENABLE_CBC_MODE
+ bool "CBC, Cipher Block Chaining mode [WEAK]"
+ help
+ This enables the following authenticated encryption cipher:
+ * 3des-cbc - 3DES
+ * aes128-cbc - AES128
+ * aes256-cbc - AES256
+
+ This mode is susceptible to ciphertext stealing and padding attacks.
+
+ Default: disabled.
+
+ config DROPBEAR_ENABLE_GCM_MODE
+ bool "GCM, Galois-Counter mode [WEAK]"
+ help
+ This enables the following authenticated encryption cipher:
+ * aes128-gcm at openssh.com - AES128
+ * aes256-gcm at openssh.com - AES256
+
+ The authentication part of the GCM can be attacked by ciphertext forgery.
+
+ Default: disabled.
+
+ comment "WARNING! Block ciphers require at least one cipher mode to be selected."
+ depends on !DROPBEAR_ENABLE_CTR_MODE && !DROPBEAR_ENABLE_CBC_MODE && !DROPBEAR_ENABLE_GCM_MODE
+
+ endif
+ ## </CIPHER MODE>
+
+ ## <MAC>
+ if DROPBEAR_3DES || DROPBEAR_AES128 || DROPBEAR_AES256
+
+ comment "Message authentication codes (MAC):"
+
+ config DROPBEAR_SHA1_96_HMAC
+ bool "SHA1-96-HMAC [WEAK]"
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following message authentication code:
+ * hmac-sha1-96
+
+ Enables SHA1 with hash length truncated to 96 bit.
+ Very old implementations may need it.
+
+ Default: disabled.
+
+ config DROPBEAR_SHA1_HMAC
+ bool "SHA1-HMAC [WEAK]"
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following message authentication code:
+ * hmac-sha1
+
+ SHA1 generates 160 bit hashes. They are considered weak when used for signing (sha1-rsa keys).
+ Very old implementations may need it.
+
+ Default: disabled.
+
+ config DROPBEAR_SHA2_256_HMAC
+ bool "SHA256-HMAC"
+ default y
+ help
+ This enables the following message authentication code:
+ * hmac-sha2-256
+
+ SHA2 with 256 bit hash length.
+
+ Default: enabled.
+
+ config DROPBEAR_SHA2_512_HMAC
+ bool "SHA512-HMAC"
+ help
+ This enables the following message authentication code:
+ * hmac-sha2-512
+
+ SHA2 with 512 bit hash length is slower than SHA256 with little added benefits,
+ as SHA256 is sufficiently strong.
+
+ Default: disabled.
+
+ comment "WARNING! Ciphers without authentication require at least one MAC to be enabled."
+ depends on !DROPBEAR_SHA1_96_HMAC && !DROPBEAR_SHA1_HMAC && !DROPBEAR_SHA2_256_HMAC && !DROPBEAR_SHA2_512_HMAC
+
+ endif
+ ## </MAC>
+
+ comment "Asymmetric-key ciphers:"
+
+ config DROPBEAR_DSS
+ bool "DSS [WEAK]"
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following public key algorithm:
+ * ssh-dss
+
+ DSS uses 1024 bit private keys (too small) and SHA1 signing (weak).
+
+ Default: disabled.
+
+ config DROPBEAR_RSA_SHA1
+ bool "RSA-SHA1 [WEAK]"
+ default y
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following public key algorithm:
+ * ssh-rsa
+
+ SHA1 support is required to communicate with some older implementations.
+ It will be removed in future due to SHA1 insecurity.
+
+ Default: disabled.
+
+ config DROPBEAR_RSA
+ bool "RSA-SHA256"
+ default y
+ help
+ This enables the following public key algorithm:
+ * rsa-sha2-256
+
+ RSA-SHA256 uses SHA2 256 bit hashes for authentication.
+
+ Default: enabled.
+
+ config DROPBEAR_DEFAULT_RSA_SIZE
+ int "Default RSA key size"
+ range 1024 8192
+ default 2048
+ depends on DROPBEAR_RSA_SHA1 || DROPBEAR_RSA
+ help
+ Sets the default RSA key size, for example, when auto-generating server keys.
+
+ Possible values: 1024, 2048, 4096, 8192.
+ Default: 2048.
+
+ config DROPBEAR_ECDSA
+ bool "ECDSA"
+ help
+ This enables the following public key algorithm:
+ * ecdsa-sha2-nistp256 - 256-bit elliptic curve
+ * ecdsa-sha2-nistp384 - 384-bit elliptic curve
+ * ecdsa-sha2-nistp521 - 521-bit elliptic curve
+
+ Along with FIDO/U2F also enables the following public key algorithm:
+ * sk-ecdsa-sha2-nistp256 at openssh.com - 256-bit elliptic curve
+
+ ECDSA significantly faster than RSA or DSS, but slower than Ed25519.
+
+ Default: disabled.
+
+ config DROPBEAR_ED25519
+ bool "Ed25519"
+ default y if !SMALL_FLASH
+ help
+ This enables the following public key algorithm:
+ * ssh-ed25519
+
+ Along with FIDO/U2F also enables the following public key algorithm:
+ * sk-ssh-ed25519 at openssh.com
+
+ Ed25519 uses Curve25519 and SHA512 and is faster than RSA and ECDSA.
+
+ Default: enabled, except devices with very small flash.
+
+ comment "WARNING! At least one asymmetric-key algorithm must be enabled."
+ depends on !DROPBEAR_DSS && !DROPBEAR_RSA && !DROPBEAR_ECDSA && !DROPBEAR_ED25519
+
+ ## <KEX ALGORITHM>
+ comment "Key exchange algorithms"
+
+ config DROPBEAR_DH_GROUP1
+ bool "DH group1: SHA1, 1024 bit [WEAK]"
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following key exchange algorithm:
+ * diffie-hellman-group1-sha1
+
+ Diffie-Hellman group1 is too small for security, though is necessary for
+ compatibility with some very old implementations such as Dropbear < v0.53.
+
+ Default: disabled.
+
+ config DROPBEAR_DH_GROUP1_CLIENTONLY
+ bool "DH group1 only for Dropbear client"
+ default y
+ depends on DROPBEAR_DBCLIENT && DROPBEAR_DH_GROUP1
+ help
+ When enabled, Diffie-Hellman group1 will only be allowed by Dropbear client,
+ not by the server, due to concerns over its strength.
+ If disabled, DH group1 is allowed by Dropbear server too.
+
+ Default: enabled.
+
+ config DROPBEAR_DH_GROUP14_SHA1
+ bool "DH group14: SHA1, 2048 bit [WEAK]"
+ depends on DROPBEAR_LEGACY_COMPAT
+ help
+ This enables the following key exchange algorithm:
+ * diffie-hellman-group14-sha1
+
+ Diffie-Hellman group14 is supported by most implementations.
+ This variant uses weaker SHA1 hashes.
+
+ Default: disabled.
+
+ config DROPBEAR_DH_GROUP14_SHA256
+ bool "DH group14: SHA2-256, 2048 bit"
+ default y
+ help
+ This enables the following key exchange algorithm:
+ * diffie-hellman-group14-sha256
+
+ Diffie-Hellman group14 is supported by most implementations.
+
+ Default: enabled.
+
+ config DROPBEAR_DH_GROUP16
+ bool "DH group16: SHA2-512, 4096 bit"
+ help
+ This enables the following key exchange algorithm:
+ * diffie-hellman-group16-sha512
+
+ Diffie-Hellman group16 provides a greater strength level
+ but it is slower and increases binary size.
+
+ Default: disabled.
+
+ config DROPBEAR_ECDH
+ bool "ECDH"
+ help
+ This enables the following key exchange algorithm:
+ * ecdh-sha2-nistp256 - 256-bit elliptic curve
+ * ecdh-sha2-nistp384 - 384-bit elliptic curve
+ * ecdh-sha2-nistp521 - 521-bit elliptic curve
+
+ ECDH is faster than non-elliptic-curve methods.
+
+ Default: disabled.
+
+ config DROPBEAR_CURVE25519
+ bool "Curve25519"
+ default y
+ help
+ This enables the following key exchange algorithm:
+ * curve25519-sha256
+
+ Curve25519 is faster than non-elliptic-curve methods.
+
+ Default: enabled.
+
+ config DROPBEAR_MLKEM768
+ bool "mlkem768 [POST-QUANTUM]"
+ help
+ This enables the following key exchange algorithm:
+ * mlkem768x25519-sha256
+
+ Post-quantum KEM can avoid harvest-now-decrypt-later style attacks.
+
+ Default: enabled, except devices with very small flash.
+
+ config DROPBEAR_SNTRUP761
+ bool "sntrup761 [POST-QUANTUM]"
+ default y if !SMALL_FLASH
+ help
+ This enables the following key exchange algorithm:
+ * sntrup761x25519-sha512
+
+ Post-quantum KEM can avoid harvest-now-decrypt-later style attacks.
+
+ Default: enabled, except devices with very small flash.
+
+ comment "WARNING! At least one key exchange algorithm must be enabled."
+ depends on !DROPBEAR_DH_GROUP1 && !DROPBEAR_DH_GROUP14_SHA1 && ! DROPBEAR_DH_GROUP14_SHA256 && !DROPBEAR_DH_GROUP16 && !DROPBEAR_ECDH && !DROPBEAR_CURVE25519 && !DROPBEAR_MLKEM768 && !DROPBEAR_SNTRUP761
+ ## </KEX ALGORITHM>
+
+ ## <ELLIPTIC CURVE>
+ if DROPBEAR_ECDH || DROPBEAR_ECDSA
+
+ comment "Elliptic curves:"
+
+ config DROPBEAR_ECC_256
+ bool "256-bit curve"
+ default y
+ help
+ This enables the following key exchange algorithm:
+ * ecdh-sha2-nistp256
+
+ This enables the following public key algorithm:
+ * ecdsa-sha2-nistp256
+
+ Along with FIDO/U2F also enables the following public key algorithm:
+ * sk-ecdsa-sha2-nistp256 at openssh.com
+
+ Default: enabled.
+
+ config DROPBEAR_ECC_384
+ bool "384-bit curve"
+ help
+ This enables the following key exchange algorithm:
+ * ecdh-sha2-nistp384
+
+ This enables the following public key algorithm:
+ * ecdsa-sha2-nistp384
+
+ Default: disabled.
+
+ config DROPBEAR_ECC_521
+ bool "521-bit curve"
+ help
+ This enables the following key exchange algorithm:
+ * ecdh-sha2-nistp521
+
+ This enables the following public key algorithm:
+ * ecdsa-sha2-nistp521
+
+ Default: disabled.
+
+ comment "WARNING! At least one elliptic curve must be enabled."
+ depends on !DROPBEAR_ECC_256 && !DROPBEAR_ECC_384 && !DROPBEAR_ECC_521
+
+ endif
+ ## </ELLIPTIC CURVE>
+
+ ## <U2F>
+ comment "FIDO/U2F security keys are not supported - enable DROPBEAR_ECDSA and/or DROPBEAR_ED25519"
+ depends on !DROPBEAR_ECDSA && !DROPBEAR_ED25519
+
+ config DROPBEAR_SK_KEYS
+ bool "FIDO/U2F security keys"
+ default y if !SMALL_FLASH
+ depends on DROPBEAR_ECDSA || DROPBEAR_ED25519
+ help
+ Allows Dropbear server to validate U2F security keys.
+ The corresponding DROPBEAR_SK_ECDSA and/or DROPBEAR_SK_ED25519 also needs to be set.
+
+ Dropbear client does not support U2F.
+
+ Default: enabled, except devices with very small flash.
+
+ if DROPBEAR_SK_KEYS
+
+ comment "FIDO/U2F with ECDSA is not supported - enable DROPBEAR_ECC_256"
+ depends on DROPBEAR_ECDSA && !DROPBEAR_ECC_256
+
+ config DROPBEAR_SK_ECDSA
+ bool "FIDO/U2F with ECDSA"
+ default y
+ depends on DROPBEAR_ECDSA && DROPBEAR_ECC_256
+ help
+ This enables the following public key algorithm:
+ * sk-ecdsa-sha2-nistp256 at openssh.com
+
+ Default: enabled.
+
+ config DROPBEAR_SK_ED25519
+ bool "FIDO/U2F with Ed25519"
+ default y
+ depends on DROPBEAR_ED25519
+ help
+ This enables the following public key algorithm:
+ * sk-ssh-ed25519 at openssh.com
+
+ Default: enabled.
+
+ comment "WARNING! At least one U2F algorithm must be enabled."
+ depends on !DROPBEAR_SK_ECDSA && !DROPBEAR_SK_ED25519
+
+ endif
+ ## </U2F>
+
+endmenu
+## </ENCRYPTION>
+
+## TODO: following options should be removed in 2027
+
+## <LEGACY OPTIONS>
+config DROPBEAR_ECC
+ bool
+ imply DROPBEAR_ECDH
+ imply DROPBEAR_ECDSA
+ imply DROPBEAR_ECC_256
+
+config DROPBEAR_ECC_FULL
+ bool
+ imply DROPBEAR_ECDH
+ imply DROPBEAR_ECDSA
+ imply DROPBEAR_ECC_256
+ imply DROPBEAR_ECC_384
+ imply DROPBEAR_ECC_521
+
+config DROPBEAR_ECDSA_SK
+ bool
+ imply DROPBEAR_SK_KEYS
+ imply DROPBEAR_SK_ECDSA
+ imply DROPBEAR_ECC_256
+
+config DROPBEAR_ED25519_SK
+ bool
+ imply DROPBEAR_SK_KEYS
+ imply DROPBEAR_SK_ED25519
+
+config DROPBEAR_ASKPASS
+ bool
+ depends on DROPBEAR_DBCLIENT
+ imply DROPBEAR_CLI_ASKPASS_HELPER
+
+config DROPBEAR_DBCLIENT_AGENTFORWARD
+ bool
+ depends on DROPBEAR_DBCLIENT
+ imply DROPBEAR_CLI_AGENTFWD
+
+config DROPBEAR_AGENTFORWARD
+ bool
+ imply DROPBEAR_SVR_AGENTFWD
+
+## it's not possible to negate selection via Kconfig [at least] of following options:
+## - DROPBEAR_AES128
+## - DROPBEAR_AES256
+## - DROPBEAR_ENABLE_CTR_MODE
+## - DROPBEAR_RSA
+## - DROPBEAR_RSA_SHA1
+config DROPBEAR_MODERN_ONLY
+ bool
+ imply DROPBEAR_ED25519
+ imply DROPBEAR_CURVE25519
+ imply DROPBEAR_CHACHA20POLY1305
+
+## </LEGACY OPTIONS>
+
+endif # PACKAGE_dropbear
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index a3bb311712..5bedcc171d 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -28,14 +28,19 @@ PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared
PKG_CONFIG_DEPENDS:= \
- CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
- CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
- CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
- CONFIG_DROPBEAR_U2F CONFIG_DROPBEAR_ECDSA_SK CONFIG_DROPBEAR_ED25519_SK \
- CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
- CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
- CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
- CONFIG_DROPBEAR_MODERN_ONLY
+ CONFIG_DROPBEAR_STATIC_BUILD CONFIG_DROPBEAR_LEGACY_COMPAT CONFIG_DROPBEAR_SMALL_CODE CONFIG_DROPBEAR_DEBUG_TRACE CONFIG_DROPBEAR_LOG_COMMANDS CONFIG_DROPBEAR_INETD_MODE \
+ CONFIG_DROPBEAR_DO_HOST_LOOKUP CONFIG_DROPBEAR_SVR_PUBKEY_OPTIONS CONFIG_DROPBEAR_LASTLOG CONFIG_DROPBEAR_LASTLOG_PATH CONFIG_DROPBEAR_WTMP CONFIG_DROPBEAR_WTMP_PATH CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_UTMP_PATH CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_LOGINFUNC \
+ CONFIG_DROPBEAR_REEXEC CONFIG_DROPBEAR_ZLIB CONFIG_DROPBEAR_DELAY_HOSTKEY CONFIG_DROPBEAR_SVR_AGENTFWD CONFIG_DROPBEAR_SVR_REMOTETCPFWD CONFIG_DROPBEAR_SVR_LOCALTCPFWD CONFIG_DROPBEAR_SVR_LOCALSTREAMFWD CONFIG_DROPBEAR_X11FWD CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_SFTPSERVER \
+ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_USER_ALGO_LIST CONFIG_DROPBEAR_USE_SSH_CONFIG CONFIG_DROPBEAR_CLI_IMMEDIATE_AUTH CONFIG_DROPBEAR_USE_PASSWORD_ENV CONFIG_DROPBEAR_CLI_ASKPASS_HELPER CONFIG_DROPBEAR_CLI_AGENTFWD CONFIG_DROPBEAR_CLI_LOCALTCPFWD CONFIG_DROPBEAR_CLI_REMOTETCPFWD CONFIG_DROPBEAR_CLI_PROXYCMD CONFIG_DROPBEAR_CLI_NETCAT CONFIG_DROPBEAR_CLI_MULTIHOP \
+ CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT CONFIG_DROPBEAR_KEX_REKEY_DATA CONFIG_DROPBEAR_AUTH_TIMEOUT CONFIG_DROPBEAR_MAX_AUTH_TRIES CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW CONFIG_DROPBEAR_DEFAULT_KEEPALIVE CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT \
+ CONFIG_DROPBEAR_3DES CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 CONFIG_DROPBEAR_CHACHA20POLY1305 \
+ CONFIG_DROPBEAR_ENABLE_CTR_MODE CONFIG_DROPBEAR_ENABLE_CBC_MODE CONFIG_DROPBEAR_ENABLE_GCM_MODE \
+ CONFIG_DROPBEAR_SHA1_96_HMAC CONFIG_DROPBEAR_SHA1_HMAC CONFIG_DROPBEAR_SHA2_256_HMAC CONFIG_DROPBEAR_SHA2_512_HMAC \
+ CONFIG_DROPBEAR_DSS CONFIG_DROPBEAR_RSA_SHA1 CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_DEFAULT_RSA_SIZE CONFIG_DROPBEAR_ECDSA CONFIG_DROPBEAR_ED25519 \
+ CONFIG_DROPBEAR_DH_GROUP1 CONFIG_DROPBEAR_DH_GROUP1_CLIENTONLY CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 CONFIG_DROPBEAR_DH_GROUP16 CONFIG_DROPBEAR_ECDH CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_MLKEM768 CONFIG_DROPBEAR_SNTRUP761 \
+ CONFIG_DROPBEAR_ECC_256 CONFIG_DROPBEAR_ECC_384 CONFIG_DROPBEAR_ECC_521 \
+ CONFIG_DROPBEAR_SK_KEYS CONFIG_DROPBEAR_SK_ECDSA CONFIG_DROPBEAR_SK_ED25519 \
+
include $(INCLUDE_DIR)/package.mk
@@ -56,6 +61,7 @@ define Package/dropbear
SECTION:=net
CATEGORY:=Base system
TITLE:=Small SSH2 client/server
+ MENU:=1
DEPENDS:= +DROPBEAR_ZLIB:zlib
ALTERNATIVES:=100:/usr/bin/ssh-keygen:/usr/sbin/dropbear
$(if $(CONFIG_DROPBEAR_SCP),ALTERNATIVES+= \
@@ -87,16 +93,15 @@ endef
CONFIGURE_ARGS += \
--disable-pam \
- --enable-openpty \
- --enable-syslog \
- --disable-lastlog \
+ --disable-pututxline \
--disable-utmpx \
- $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
- --disable-wtmp \
--disable-wtmpx \
- --disable-loginfunc \
+ $(if $(CONFIG_DROPBEAR_LASTLOG),,--disable-lastlog) \
+ $(if $(CONFIG_DROPBEAR_LOGINFUNC),,--disable-loginfunc) \
$(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
- --disable-pututxline \
+ $(if $(CONFIG_DROPBEAR_STATIC_BUILD),--enable-static,--disable-static) \
+ $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
+ $(if $(CONFIG_DROPBEAR_WTMP),,--disable-wtmp) \
$(if $(CONFIG_DROPBEAR_ZLIB),,--disable-zlib) \
--enable-bundled-libtom
@@ -109,24 +114,33 @@ CONFIGURE_ARGS += \
# adjust allowed shell list (if getusershell(3) is missing):
# - COMPAT_USER_SHELLS
-# remove protocol idented software version number:
-# - LOCAL_IDENT
-# disable legacy/unsafe methods and unused functionality:
-# - DROPBEAR_CLI_NETCAT
-# - DROPBEAR_DSS
+# remove version number from protocol ident:
+# - IDENT_VERSION_PART
+# disable unused functionality:
# - DO_MOTD
-# - DROPBEAR_DH_GROUP14_SHA1
-# - DROPBEAR_SHA1_HMAC
+
DB_OPT_COMMON = \
- !!LOCAL_IDENT,"SSH-2.0-dropbear" \
+ IDENT_VERSION_PART,"" \
COMPAT_USER_SHELLS,"/bin/ash","/bin/sh" \
DEFAULT_PATH,"$(TARGET_INIT_PATH)" \
DEFAULT_ROOT_PATH,"$(TARGET_INIT_PATH)" \
- DROPBEAR_DSS,0 \
- DROPBEAR_CLI_NETCAT,0 \
DO_MOTD,0 \
- DROPBEAR_DH_GROUP14_SHA1,0 \
- DROPBEAR_SHA1_HMAC,0 \
+ AUTH_TIMEOUT,$(CONFIG_DROPBEAR_AUTH_TIMEOUT) \
+ DEBUG_TRACE,$(CONFIG_DROPBEAR_DEBUG_TRACE) \
+ DEFAULT_IDLE_TIMEOUT,$(CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT) \
+ DEFAULT_KEEPALIVE_LIMIT,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT) \
+ DEFAULT_KEEPALIVE,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE) \
+ DEFAULT_RECV_WINDOW,$(CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW) \
+ KEX_REKEY_DATA,$(CONFIG_DROPBEAR_KEX_REKEY_DATA) \
+ KEX_REKEY_TIMEOUT,$(CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT) \
+ MAX_AUTH_TRIES,$(CONFIG_DROPBEAR_MAX_AUTH_TRIES) \
+ MAX_UNAUTH_CLIENTS,$(CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS) \
+ MAX_UNAUTH_PER_IP,$(CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP) \
+ UNAUTH_CLOSE_DELAY,$(CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY) \
+ $(if $(CONFIG_DROPBEAR_RSA),DROPBEAR_DEFAULT_RSA_SIZE$(comma)$(CONFIG_DROPBEAR_DEFAULT_RSA_SIZE)) \
+ $(if $(CONFIG_DROPBEAR_LASTLOG),LASTLOG_FILE$(comma)$(CONFIG_DROPBEAR_LASTLOG_FILE)) \
+ $(if $(CONFIG_DROPBEAR_UTMP),UTMP_FILE$(comma)$(CONFIG_DROPBEAR_UTMP_FILE)) \
+ $(if $(CONFIG_DROPBEAR_WTMP),WTMP_FILE$(comma)$(CONFIG_DROPBEAR_WTMP_FILE)) \
##############################################################################
@@ -139,24 +153,61 @@ DB_OPT_COMMON = \
##############################################################################
DB_OPT_CONFIG = \
- !!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_FULL,1,0 \
- !!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_FULL,1,0 \
- DROPBEAR_CURVE25519,CONFIG_DROPBEAR_CURVE25519,1,0 \
+ !!DROPBEAR_CLI_MULTIHOP,CONFIG_DROPBEAR_CLI_MULTIHOP,1,0 \
+ !!DROPBEAR_ECC_256,CONFIG_DROPBEAR_ECC_256,1,0 \
+ !!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_384,1,0 \
+ !!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_521,1,0 \
+ DO_HOST_LOOKUP,CONFIG_DROPBEAR_DO_HOST_LOOKUP,1,0 \
+ DROPBEAR_3DES,CONFIG_DROPBEAR_3DES,1,0 \
+ DROPBEAR_AES128,CONFIG_DROPBEAR_AES128,1,0 \
+ DROPBEAR_AES256,CONFIG_DROPBEAR_AES256,1,0 \
DROPBEAR_CHACHA20POLY1305,CONFIG_DROPBEAR_CHACHA20POLY1305,1,0 \
+ DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_CLI_AGENTFWD,1,0 \
+ DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_CLI_ASKPASS_HELPER,1,0 \
+ DROPBEAR_CLI_IMMEDIATE_AUTH,CONFIG_DROPBEAR_CLI_IMMEDIATE_AUTH,1,0 \
+ DROPBEAR_CLI_LOCALTCPFWD,CONFIG_DROPBEAR_CLI_LOCALTCPFWD,1,0 \
+ DROPBEAR_CLI_NETCAT,CONFIG_DROPBEAR_CLI_NETCAT,1,0 \
+ DROPBEAR_CLI_PROXYCMD,CONFIG_DROPBEAR_CLI_PROXYCMD,1,0 \
+ DROPBEAR_CLI_REMOTETCPFWD,CONFIG_DROPBEAR_CLI_REMOTETCPFWD,1,0 \
+ DROPBEAR_CURVE25519,CONFIG_DROPBEAR_CURVE25519,1,0 \
+ DROPBEAR_DELAY_HOSTKEY,CONFIG_DROPBEAR_DELAY_HOSTKEY,1,0 \
+ DROPBEAR_DH_GROUP1,CONFIG_DROPBEAR_DH_GROUP1,1,0 \
+ DROPBEAR_DH_GROUP1_CLIENTONLY,CONFIG_DROPBEAR_DH_GROUP1_CLIENTONLY,1,0 \
+ DROPBEAR_DH_GROUP14_SHA1,CONFIG_DROPBEAR_DH_GROUP14_SHA1,1,0 \
+ DROPBEAR_DH_GROUP14_SHA256,CONFIG_DROPBEAR_DH_GROUP14_SHA256,1,0 \
+ DROPBEAR_DH_GROUP16,CONFIG_DROPBEAR_DH_GROUP16,1,0 \
+ DROPBEAR_DSS,CONFIG_DROPBEAR_DSS,1,0 \
+ DROPBEAR_ECDH,CONFIG_DROPBEAR_ECDH,1,0 \
+ DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECDSA,1,0 \
DROPBEAR_ED25519,CONFIG_DROPBEAR_ED25519,1,0 \
- DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECC,1,0 \
- DROPBEAR_ECDH,CONFIG_DROPBEAR_ECC,1,0 \
- DROPBEAR_SK_KEYS,CONFIG_DROPBEAR_U2F,1,0 \
- DROPBEAR_SK_ECDSA,CONFIG_DROPBEAR_ECDSA_SK,1,0 \
- DROPBEAR_SK_ED25519,CONFIG_DROPBEAR_ED25519_SK,1,0 \
- DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
- DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
- DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
- DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
- DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
- DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
- DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
- DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+ DROPBEAR_ENABLE_CBC_MODE,CONFIG_DROPBEAR_ENABLE_CBC_MODE,1,0 \
+ DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_ENABLE_CTR_MODE,1,0 \
+ DROPBEAR_ENABLE_GCM_MODE,CONFIG_DROPBEAR_ENABLE_GCM_MODE,1,0 \
+ DROPBEAR_MLKEM768,CONFIG_DROPBEAR_MLKEM768,1,0 \
+ DROPBEAR_REEXEC,CONFIG_DROPBEAR_REEXEC,1,0 \
+ DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_RSA_SHA1,1,0 \
+ DROPBEAR_RSA,CONFIG_DROPBEAR_RSA,1,0 \
+ DROPBEAR_SFTPSERVER,CONFIG_DROPBEAR_SFTPSERVER,1,0 \
+ DROPBEAR_SHA1_96_HMAC,CONFIG_DROPBEAR_SHA1_96_HMAC,1,0 \
+ DROPBEAR_SHA1_HMAC,CONFIG_DROPBEAR_SHA1_HMAC,1,0 \
+ DROPBEAR_SHA2_256_HMAC,CONFIG_DROPBEAR_SHA2_256_HMAC,1,0 \
+ DROPBEAR_SHA2_512_HMAC,CONFIG_DROPBEAR_SHA2_512_HMAC,1,0 \
+ DROPBEAR_SK_ECDSA,CONFIG_DROPBEAR_SK_ECDSA,1,0 \
+ DROPBEAR_SK_ED25519,CONFIG_DROPBEAR_SK_ED25519,1,0 \
+ DROPBEAR_SK_KEYS,CONFIG_DROPBEAR_SK_KEYS,1,0 \
+ DROPBEAR_SMALL_CODE,CONFIG_DROPBEAR_SMALL_CODE,1,0 \
+ DROPBEAR_SNTRUP761,CONFIG_DROPBEAR_SNTRUP761,1,0 \
+ DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_SVR_AGENTFWD,1,0 \
+ DROPBEAR_SVR_LOCALSTREAMFWD,CONFIG_DROPBEAR_SVR_LOCALSTREAMFWD,1,0 \
+ DROPBEAR_SVR_LOCALTCPFWD,CONFIG_DROPBEAR_SVR_LOCALTCPFWD,1,0 \
+ DROPBEAR_SVR_PUBKEY_OPTIONS,CONFIG_DROPBEAR_SVR_PUBKEY_OPTIONS,1,0 \
+ DROPBEAR_SVR_REMOTETCPFWD,CONFIG_DROPBEAR_SVR_REMOTETCPFWD,1,0 \
+ DROPBEAR_USE_PASSWORD_ENV,CONFIG_DROPBEAR_USE_PASSWORD_ENV,1,0 \
+ DROPBEAR_USE_SSH_CONFIG,CONFIG_DROPBEAR_USE_SSH_CONFIG,1,0 \
+ DROPBEAR_USER_ALGO_LIST,CONFIG_DROPBEAR_USER_ALGO_LIST,1,0 \
+ DROPBEAR_X11FWD,CONFIG_DROPBEAR_X11FWD,1,0 \
+ INETD_MODE,CONFIG_DROPBEAR_INETD_MODE,1,0 \
+ LOG_COMMANDS,CONFIG_DROPBEAR_LOG_COMMANDS,1,0 \
TARGET_CFLAGS += -DARGTYPE=3
diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
index 11e89340db..2f5d9698eb 100755
--- a/package/network/services/dropbear/files/dropbear.init
+++ b/package/network/services/dropbear/files/dropbear.init
@@ -177,7 +177,7 @@ validate_section_dropbear()
'SSHKeepAlive:uinteger:300' \
'IdleTimeout:uinteger:0' \
'MaxAuthTries:uinteger:3' \
- 'RecvWindowSize:uinteger:262144' \
+ 'RecvWindowSize:uinteger:0' \
'mdns:bool:1'
}
More information about the lede-commits
mailing list