summaryrefslogtreecommitdiffstats
path: root/rules/dropbear.in
blob: fa6f283f12b511004136d68c200eb4ab6460bce9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
## SECTION=networking
menuconfig DROPBEAR
	tristate
	prompt "dropbear                      "
	select ZLIB
	select LIBC_UTIL
	select LIBC_CRYPT
	select GCCLIBS_GCC_S
	select INITMETHOD
	select RC_ONCE						if RUNTIME
	select BUSYBOX_START_STOP_DAEMON			if DROPBEAR_STARTSCRIPT
	select BUSYBOX_FEATURE_START_STOP_DAEMON_FANCY		if DROPBEAR_STARTSCRIPT
	select BUSYBOX_FEATURE_START_STOP_DAEMON_LONG_OPTIONS	if DROPBEAR_STARTSCRIPT
	help
	  dropbear is a SSH 2 server and client designed
	  to be small enough to be used in small memory
	  environments, while still being functional and
	  secure enough for general use.

	  It implements most required features of the
	  SSH 2 protocol, and other features such as X11
	  and authentication agent forwarding.

	  http://matt.ucc.asn.au/dropbear/dropbear.html

if DROPBEAR

config DROPBEAR_KEY_DIR
	string "dropbear key directory"
	default "/etc/dropbear"
	help
	  This is the directory where dropbear stores the keys.

config DROPBEAR_ZLIB
	bool
	prompt "zlib support"
	help
	  Disable compression in Dropbear by dropping use of
	  zlib.
	  If you disable zlib, you must explicitly disable
	  compression for the client - OpenSSH is possibly
	  buggy in this regard, it seems you need to disable it
	  globally in ~/.ssh/config, not just in the host entry
	  in that file.

config DROPBEAR_DIS_OPENPTY
	bool
	prompt "Don't use openpty, use alternative method"
	help
	  If openpty() is being used (HAVE_OPENPTY defined in config.h) and it fails,
	  you can try compiling with --disable-openpty. You will probably then need
	  to create all the /dev/pty?? and /dev/tty?? devices, which can be
	  problematic for devfs. In general, openpty() is the best way to allocate
	  PTYs, so it's best to try and get it working.

config DROPBEAR_DIS_SYSLOG
	bool
	prompt "Don't include syslog support"
	help
	  Keep dropbear from writing to syslog.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_LASTLOG
	bool
	prompt "disable use of lastlog"
	help
	  Keep dropbear from writing to lastlog.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_UTMP
	bool
	prompt "disable use of utmp"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to utmp.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_UTMPX
	bool
	prompt "disable use of utmpx"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to utmpx.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_WTMP
	bool
	prompt "disable use of wtmp"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to wtmp.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_WTMPX
	bool
	prompt "disable use of wtmpx"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to wtmpx.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_PUTUTLINE
	bool
	prompt "disable use of pututline"
	help
	  pututline is needed to write to the utmp structure.

config DROPBEAR_DIS_PUTUTXLINE
	bool
	prompt "disable use of pututxline"
	help
	  pututxline is needed to write to the utmpx structure.

comment features

config DROPBEAR_DIS_X11
	bool
	prompt "disable X11 Forwarding"
	help
	  X11 forwarding means passing X11 (graphical interface)
	  information over the SSH connection.

config DROPBEAR_DIS_TCP
	bool
	prompt "disable TCP Forwarding"
	help
	  TCP forwarding means the tunneling of TCP ports over
	  the SSH connection.

config DROPBEAR_DIS_AGENT
	bool
	prompt "disable Authentication Agent Forwarding"
	help
	  Authentication agent is a program to automate the
	  use of authentication private keys.

comment "Encryption, at least one required --- RFC Draft requires 3DES and recommends AES128"

config DROPBEAR_AES128
	bool
	prompt "AES 128"
	default y
	help
	  This Advanced Encryption Standard designed by Joan Daemen
	  and Vincent Rijmen, is a FIPS-approved symmetric encryption
	  algorithm that may be used by U.S. Government organizations
	  (and others) to protect sensitive information.

config DROPBEAR_3DES
	bool
	prompt "3DES"
	default y
	help
	  DES is an IBM algorithm designed during the 1970s.
	  In 1976, NIST has officially adopted it as an encryption
	  algorithm for unclassified data. Since then, DES has
	  become one of the widely used block ciphers on the
	  market. As the effective key length of DES is a 56-bit,
	  a triple-DES was created. The new 3DES concept uses
	  three DES rounds to encrypt the DATA 3 times.

config DROPBEAR_AES256
	bool
	prompt "AES 256"
	default y
	help
	  This Advanced Encryption Standard designed by Joan Daemen
	  and Vincent Rijmen, is a FIPS-approved symmetric encryption
	  algorithm that may be used by U.S. Government organizations
	  (and others) to protect sensitive information.


config DROPBEAR_BLOWFISH
	bool
	prompt "Blowfish"
	help
	  Blowfish, by Bruce Schneier, combines a Feistel network,
	  key-dependent S-Boxes, with a non-invertible f function.
	  This block cipher iterates a simple encryption function
	  16 times.
	  Blowfish was designed with a variable key length ranging
	  from 32 bits to 448 bits.

config DROPBEAR_TWOFISH128
	bool
	prompt "Twofish128"
	help
	  Another great algorithm designed by Bruce Schneier.
	  This block cipher was designed as a successor to
	  the 64-bit Blowfish block cipher.
	  Twofish combines a 16-round Feistel network with a
	  bijective f function made by four key-dependent
	  8x8-bit S-boxes.

config DROPBEAR_TWOFISH256
	bool
	prompt "Twofish256"
	help
	  Another great algorithm designed by Bruce Schneier.
	  This block cipher was designed as a successor to
	  the 64-bit Blowfish block cipher.
	  Twofish combines a 16-round Feistel network with a
	  bijective f function made by four key-dependent
	  8x8-bit S-boxes.

config DROPBEAR_CBC_CIPHERS
	bool
	prompt "CBC mode ciphers"
	help
	  Enable CBC mode for ciphers. This has security issues though
	  is the most compatible with older SSH implementations.

config DROPBEAR_CTR_CIPHERS
	bool
	prompt "Counter mode ciphers"
	default y
	help
	  Enable "Counter Mode" for ciphers. This is more secure than normal
	  CBC mode against certain attacks. This adds around 1kB to binary
	  size and is recommended for most cases.

comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"

config DROPBEAR_SHA1
	bool
	prompt "sha1"
	help
	  The Secure Hash Algorithm (SHA) was developed by NIST and
	  is specified in the Secure Hash Standard (SHS, FIPS 180).
	  SHA-1 is a revision to this version and was published in
	  1994. It is also described in the ANSI X9.30 (part 2)
	  standard. SHA-1 produces a 160-bit (20 byte) message digest.
	  Although slower than MD5, this larger digest size makes it
	  stronger against brute force attacks.

config DROPBEAR_SHA1_96
	bool
	prompt "sha1-96"
	help
	  The Secure Hash Algorithm (SHA) was developed by NIST and
	  is specified in the Secure Hash Standard (SHS, FIPS 180).
	  SHA-1 is a revision to this version and was published in
	  1994. It is also described in the ANSI X9.30 (part 2)
	  standard. SHA-1 produces a 160-bit (20 byte) message digest.
	  Although slower than MD5, this larger digest size makes it
	  stronger against brute force attacks.

config DROPBEAR_SHA256
	bool
	prompt "sha256"
	default y
	help
	  SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256,
	  SHA-384, SHA-512) designed by the National Security Agency (NSA)
	  and published in 2001 by the NIST as a U.S. Federal Information
	  Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2
	  includes a significant number of changes from its predecessor,
	  SHA-1. SHA-2 consists of a set of four hash functions with digests
	  that are 224, 256, 384 or 512 bits.

config DROPBEAR_SHA512
	bool
	prompt "sha512"
	default y
	help
	  SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256,
	  SHA-384, SHA-512) designed by the National Security Agency (NSA)
	  and published in 2001 by the NIST as a U.S. Federal Information
	  Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2
	  includes a significant number of changes from its predecessor,
	  SHA-1. SHA-2 consists of a set of four hash functions with digests
	  that are 224, 256, 384 or 512 bits.

config DROPBEAR_MD5
	bool
	prompt "md5"
	help
	  MD5 was developed by Professor Ronald L. Rivest in 1994.
	  Its 128 bit (16 byte) message digest makes it a faster
	  implementation than SHA-1.

comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"

config DROPBEAR_RSA
	bool
	prompt "rsa"
	help
	  RSA was announced in 1978. The security of the RSA system
	  is based upon the RSA Problem (RSAP). This problem is
	  conjectured (but not proven) to be equivalent to the
	  Integer Factorisation Problem (IFP).

config DROPBEAR_DSS
	bool
	prompt "dss"
	default y
	help
	  DSS stands for Digital Signature Standard.
	  DSS employs the ElGamal and Schnorr PK systems to produce
	  a fixed width signature (irrespective of the public/private
	  key size). In contrast, RSA signature length is a function
	  of the key length employed.

config DROPBEAR_ECDSA
	bool
	prompt "ecdsa"
	help
	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
	  ECDSA is significantly faster than RSA or DSS.

config DROPBEAR_ECDH
	bool
	prompt "ecdh"
	help
	  ECDH stands for Elliptic Curve Diffie-Hellman.

config DROPBEAR_CURVE25519
	bool
	depends on DROPBEAR_ECDSA || DROPBEAR_ECDH
	prompt "curve25519-donna"
	help
	  Enable curve25519-donna for key exchange.
	  This is another elliptic curve method with good security properties.
	  This algorithm does not rely on NIST-based curves
	  and gives us more security confidence against a possible
	  backdoor in nistp-256 curve.

comment "Authentication types, at least one required --- RFC Draft requires pubkey auth"

config DROPBEAR_PASSWD
	bool
	prompt "password"
	default y
	help
	  Use password authentication

config DROPBEAR_PUBKEY
	bool
	prompt "pubkey"
	default y
	help
	  Use public key authentication

comment "installation options   ---"

config DROPBEAR_DROPBEAR
	bool
	prompt "Install dropbear SSH server"
	default y
	select DROPBEAR_DROPBEAR_KEY
	select DROPBEAR_RSA
	select DROPBEAR_DSS
	select BUSYBOX_START_STOP_DAEMON if BUSYBOX
	help
	  Installs the dropbar server in /usr/sbin/dropbear on the target

config DROPBEAR_DROPBEAR_KEY
	bool
	prompt "Install dropbearkey"
	help
	  This program is used to generate the host key(s).
	  Select this, if you want this program on your target platform.

config DROPBEAR_DROPBEAR_CONVERT
	bool
	prompt "Install dropbearconvert"
	help
	  With this utility you can convert ssh hostkeys from openssh to dropbear format.
	  Select this, if you want this program on your target platform.

config DROPBEAR_SCP
	bool
	depends on !OPENSSH_SCP || ALLYES
	prompt	"Install dropbear's scp"
	help
	  This is dropbear's implementation of the scp utility.

comment "OpenSSH scp is selected!"
	depends on OPENSSH_SCP

comment "runtime options   ---"

config DROPBEAR_STARTSCRIPT
	bool
	default y
	prompt "install /etc/init.d/dropbear"

endif