1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
|
## SECTION=networking
menuconfig DROPBEAR
tristate
prompt "dropbear "
select ZLIB
select LIBC_UTIL
select LIBC_CRYPT
select GCCLIBS_GCC_S
select INITMETHOD
select RC_ONCE if RUNTIME
select BUSYBOX_START_STOP_DAEMON if DROPBEAR_STARTSCRIPT
select BUSYBOX_FEATURE_START_STOP_DAEMON_FANCY if DROPBEAR_STARTSCRIPT
select BUSYBOX_FEATURE_START_STOP_DAEMON_LONG_OPTIONS if DROPBEAR_STARTSCRIPT
help
dropbear is a SSH 2 server and client designed
to be small enough to be used in small memory
environments, while still being functional and
secure enough for general use.
It implements most required features of the
SSH 2 protocol, and other features such as X11
and authentication agent forwarding.
http://matt.ucc.asn.au/dropbear/dropbear.html
if DROPBEAR
config DROPBEAR_KEY_DIR
string "dropbear key directory"
default "/etc/dropbear"
help
This is the directory where dropbear stores the keys.
config DROPBEAR_ZLIB
bool
prompt "zlib support"
help
Disable compresion in Dropbear by dropping use of
zlib.
If you disable zlib, you must explicitly disable
compression for the client - OpenSSH is possibly
buggy in this regard, it seems you need to disable it
globally in ~/.ssh/config, not just in the host entry
in that file.
config DROPBEAR_DIS_OPENPTY
bool
prompt "Don't use openpty, use alternative method"
help
If openpty() is being used (HAVE_OPENPTY defined in config.h) and it fails,
you can try compiling with --disable-openpty. You will probably then need
to create all the /dev/pty?? and /dev/tty?? devices, which can be
problematic for devfs. In general, openpty() is the best way to allocate
PTYs, so it's best to try and get it working.
config DROPBEAR_DIS_SYSLOG
bool
prompt "Don't include syslog support"
help
Keep dropbear from writing to syslog.
This option is useful for small or flash-based filesystems.
config DROPBEAR_DIS_LASTLOG
bool
prompt "disable use of lastlog"
help
Keep dropbear from writing to lastlog.
This option is useful for small or flash-based filesystems.
config DROPBEAR_DIS_UTMP
bool
prompt "disable use of utmp"
help
FIXME: This item should be documented in detail
Keep dropbear from writing to utmp.
This option is useful for small or flash-based filesystems.
config DROPBEAR_DIS_UTMPX
bool
prompt "disable use of utmpx"
help
FIXME: This item should be documented in detail
Keep dropbear from writing to utmpx.
This option is useful for small or flash-based filesystems.
config DROPBEAR_DIS_WTMP
bool
prompt "disable use of wtmp"
help
FIXME: This item should be documented in detail
Keep dropbear from writing to wtmp.
This option is useful for small or flash-based filesystems.
config DROPBEAR_DIS_WTMPX
bool
prompt "disable use of wtmpx"
help
FIXME: This item should be documented in detail
Keep dropbear from writing to wtmpx.
This option is useful for small or flash-based filesystems.
config DROPBEAR_DIS_PUTUTLINE
bool
prompt "disable use of pututline"
help
pututline is needed to write to the utmp structure.
config DROPBEAR_DIS_PUTUTXLINE
bool
prompt "disable use of pututxline"
help
pututxline is needed to write to the utmpx structure.
comment features
config DROPBEAR_DIS_X11
bool
prompt "disable X11 Forwarding"
help
X11 forwarding means passing X11 (graphical interface)
information over the SSH connection.
config DROPBEAR_DIS_TCP
bool
prompt "disable TCP Forwarding"
help
TCP forwarding means the tunneling of TCP ports over
the SSH connection.
config DROPBEAR_DIS_AGENT
bool
prompt "disable Authentication Agent Forwarding"
help
Authentication agent is a program to automatize the
use of authentication private keys.
comment "Encryption, at least one required --- RFC Draft requires 3DES and recommends AES128"
config DROPBEAR_AES128
bool
prompt "AES 128"
default y
help
This Advanced Encryption Standard designed by Joan Daemen
and Vincent Rijmen, is a FIPS-approved symmetric encryption
algorithm that may be used by U.S. Government organizations
(and others) to protect sensitive information.
config DROPBEAR_3DES
bool
prompt "3DES"
default y
help
DES is an IBM algorithm designed during the 1970s.
In 1976, NIST has officially adopted it as an encryption
algorithm for unclassified data. Since then, DES has
become one of the widely used block ciphers on the
market. As the effective key length of DES is a 56-bit,
a triple-DES was created. The new 3DES concept uses
three DES rounds to encrypt the DATA 3 times.
config DROPBEAR_AES256
bool
prompt "AES 256"
default y
help
This Advanced Encryption Standard designed by Joan Daemen
and Vincent Rijmen, is a FIPS-approved symmetric encryption
algorithm that may be used by U.S. Government organizations
(and others) to protect sensitive information.
config DROPBEAR_BLOWFISH
bool
prompt "Blowfish"
help
Blowfish, by Bruce Schneier, combines a Feistel network,
key-dependent S-Boxes, with a non-invertible f function.
This block cipher iterates a simple encryption function
16 times.
Blowfish was designed with a variable key length ranging
from 32 bits to 448 bits.
config DROPBEAR_TWOFISH128
bool
prompt "Twofish128"
help
Another great algorithm designed by Bruce Schneier.
This block cipher was designed as a successor to
the 64-bit Blowfish block cipher.
Twofish combines a 16-round Feistel network with a
bijective f function made by four key-dependent
8x8-bit S-boxes.
config DROPBEAR_TWOFISH256
bool
prompt "Twofish256"
help
Another great algorithm designed by Bruce Schneier.
This block cipher was designed as a successor to
the 64-bit Blowfish block cipher.
Twofish combines a 16-round Feistel network with a
bijective f function made by four key-dependent
8x8-bit S-boxes.
config DROPBEAR_CBC_CIPHERS
bool
prompt "CBC mode ciphers"
help
Enable CBC mode for ciphers. This has security issues though
is the most compatible with older SSH implementations.
config DROPBEAR_CTR_CIPHERS
bool
prompt "Counter mode ciphers"
default y
help
Enable "Counter Mode" for ciphers. This is more secure than normal
CBC mode against certain attacks. This adds around 1kB to binary
size and is recommended for most cases.
comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
config DROPBEAR_SHA1
bool
prompt "sha1"
help
The Secure Hash Algorithm (SHA) was developed by NIST and
is specified in the Secure Hash Standard (SHS, FIPS 180).
SHA-1 is a revision to this version and was published in
1994. It is also described in the ANSI X9.30 (part 2)
standard. SHA-1 produces a 160-bit (20 byte) message digest.
Although slower than MD5, this larger digest size makes it
stronger against brute force attacks.
config DROPBEAR_SHA1_96
bool
prompt "sha1-96"
help
The Secure Hash Algorithm (SHA) was developed by NIST and
is specified in the Secure Hash Standard (SHS, FIPS 180).
SHA-1 is a revision to this version and was published in
1994. It is also described in the ANSI X9.30 (part 2)
standard. SHA-1 produces a 160-bit (20 byte) message digest.
Although slower than MD5, this larger digest size makes it
stronger against brute force attacks.
config DROPBEAR_SHA256
bool
prompt "sha256"
default y
help
SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256,
SHA-384, SHA-512) designed by the National Security Agency (NSA)
and published in 2001 by the NIST as a U.S. Federal Information
Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2
includes a significant number of changes from its predecessor,
SHA-1. SHA-2 consists of a set of four hash functions with digests
that are 224, 256, 384 or 512 bits.
config DROPBEAR_SHA512
bool
prompt "sha512"
default y
help
SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256,
SHA-384, SHA-512) designed by the National Security Agency (NSA)
and published in 2001 by the NIST as a U.S. Federal Information
Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2
includes a significant number of changes from its predecessor,
SHA-1. SHA-2 consists of a set of four hash functions with digests
that are 224, 256, 384 or 512 bits.
config DROPBEAR_MD5
bool
prompt "md5"
help
MD5 was developed by Professor Ronald L. Rivest in 1994.
Its 128 bit (16 byte) message digest makes it a faster
implementation than SHA-1.
comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
config DROPBEAR_RSA
bool
prompt "rsa"
help
RSA was announced in 1978. The security of the RSA system
is based upon the RSA Problem (RSAP). This problem is
conjectured (but not proven) to be equivalent to the
Integer Factorisation Problem (IFP).
config DROPBEAR_DSS
bool
prompt "dss"
default y
help
DSS stands for Digital Signature Standard.
DSS employs the ElGamal and Schnorr PK systems to produce
a fixed width signature (irrespective of the public/private
key size). In contrast, RSA signature length is a function
of the key length employed.
config DROPBEAR_ECDSA
bool
prompt "ecdsa"
help
ECDSA stands for Elliptic Curve Digital Signature Algorithm.
ECDSA is significantly faster than RSA or DSS.
config DROPBEAR_ECDH
bool
prompt "ecdh"
help
ECDH stands for Elliptic Curve Diffie-Hellman.
config DROPBEAR_CURVE25519
bool
depends on DROPBEAR_ECDSA || DROPBEAR_ECDH
prompt "curve25519-donna"
help
Enable curve25519-donna for key exchange.
This is another elliptic curve method with good security properties.
This algorithm does not rely on NIST-based curves
and gives us more security confidence against a possible
backdoor in nistp-256 curve.
comment "Authentication types, at least one required --- RFC Draft requires pubkey auth"
config DROPBEAR_PASSWD
bool
prompt "password"
default y
help
Use password authentication
config DROPBEAR_PUBKEY
bool
prompt "pubkey"
default y
help
Use public key authentication
comment "installation options ---"
config DROPBEAR_DROPBEAR
bool
prompt "Install dropbear SSH server"
default y
select DROPBEAR_DROPBEAR_KEY
select DROPBEAR_RSA
select DROPBEAR_DSS
select BUSYBOX_START_STOP_DAEMON if BUSYBOX
help
Installs the dropbar server in /usr/sbin/dropbear on the target
config DROPBEAR_DROPBEAR_KEY
bool
prompt "Install dropbearkey"
help
This program is used to generate the host key(s).
Select this, if you want this program on your target platform.
config DROPBEAR_DROPBEAR_CONVERT
bool
prompt "Install dropbearconvert"
help
With this utility you can convert ssh hostkeys from openssh to dropbear format.
Select this, if you want this program on your target platform.
config DROPBEAR_SCP
bool
depends on !OPENSSH_SCP || ALLYES
prompt "Install dropbear's scp"
help
This is dropbear's implementation of the scp utility.
comment "OpenSSH scp is selected!"
depends on OPENSSH_SCP
comment "runtime options ---"
config DROPBEAR_STARTSCRIPT
bool
default y
prompt "install /etc/init.d/dropbear"
endif
|