The unified diff between revisions [555c429b..] and [d815305b..] is displayed below. It can also be downloaded as a raw diff.
This diff has been restricted to the following files: 'options.h'
#
#
# patch "options.h"
# from [8e17227f9337236df82ece298e8d7a8431d75c5c]
# to [10960130a5d973ea77ade620de02bc4373ff9ad4]
#
============================================================
--- options.h 8e17227f9337236df82ece298e8d7a8431d75c5c
+++ options.h 10960130a5d973ea77ade620de02bc4373ff9ad4
@@ -96,9 +96,7 @@ etc) slower (perhaps by 50%). Recommende
* if the random number source isn't good. In general this isn't required */
/* #define DSS_PROTOK */
-/* Whether to do reverse DNS lookups. This is advisable, though will add
- * code size with gethostbyname() etc, so for very small environments where
- * you are statically linking, you might want to undefine this */
+/* Whether to do reverse DNS lookups. */
#define DO_HOST_LOOKUP
/* Whether to print the message of the day (MOTD). This doesn't add much code
@@ -110,32 +108,46 @@ etc) slower (perhaps by 50%). Recommende
#define MOTD_FILENAME "/etc/motd"
#endif
-/* Authentication types to enable, at least one required.
+/* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */
-/*#define ENABLE_SVR_PASSWORD_AUTH*/
-/* Only set PAM auth if you aren't using SVR_PASSWORD_AUTH. Also, you'll need
- * to make sure PAM libraries etc are installed. To the client, PAM auth looks
- * just like password auth. */
-#define ENABLE_SVR_PAM_AUTH
+
+/* Note: PAM auth is quite simple, and only works for PAM modules which just do
+ * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
+ * It's useful for systems like OS X where standard password crypts don't work,
+ * but there's an interface via a PAM module - don't bother using it otherwise.
+ * You can't enable both PASSWORD and PAM. */
+
+#define ENABLE_SVR_PASSWORD_AUTH
+/*#define ENABLE_SVR_PAM_AUTH*/
#define ENABLE_SVR_PUBKEY_AUTH
#define ENABLE_CLI_PASSWORD_AUTH
#define ENABLE_CLI_PUBKEY_AUTH
-/* Random device to use - you must specify _one only_.
- * DEV_URANDOM is recommended on hosts with a good /dev/urandom, otherwise use
- * PRNGD and run prngd, specifying the socket. This device must be able to
- * produce a large amount of random data, so using /dev/random or Entropy
- * Gathering Daemon (egd) may result in halting, as it waits for more random
- * data */
-#define DROPBEAR_DEV_URANDOM /* use /dev/urandom */
+/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
+ * specified in the SSH_ASKPASS environment variable, and dbclient
+ * should be run with DISPLAY set and no tty. The program should
+ * return the password on standard output */
+/*#define ENABLE_CLI_ASKPASS_HELPER*/
-/*#undef DROPBEAR_PRNGD */ /* use prngd socket - you must manually set up prngd
- to produce output */
-#ifndef DROPBEAR_PRNGD_SOCKET
-#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
-#endif
+/* Random device to use - define either DROPBEAR_RANDOM_DEV or
+ * DROPBEAR_PRNGD_SOCKET.
+ * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random,
+ * otherwise use run prngd (or egd if you want), specifying the socket.
+ * The device will be queried for a few dozen bytes of seed a couple of times
+ * per session (or more for very long-lived sessions). */
+/* If you are lacking entropy on the system then using /dev/urandom
+ * will prevent Dropbear from blocking on the device. This could
+ * however significantly reduce the security of your ssh connections
+ * if the PRNG state becomes guessable - make sure you know what you are
+ * doing if you change this. */
+#define DROPBEAR_RANDOM_DEV "/dev/random"
+
+/* prngd must be manually set up to produce output */
+/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
+
/* Specify the number of clients we will allow to be connected but
* not yet authenticated. After this limit, connections are rejected */
#ifndef MAX_UNAUTH_CLIENTS
@@ -177,7 +189,7 @@ etc) slower (perhaps by 50%). Recommende
*******************************************************************/
#ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.44rez1"
+#define DROPBEAR_VERSION "0.45"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@@ -207,8 +219,6 @@ etc) slower (perhaps by 50%). Recommende
#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
#define MAX_BANNER_LINES 20 /* How many lines the client will display */
-#define DEV_URANDOM "/dev/urandom"
-
/* the number of NAME=VALUE pairs to malloc for environ, if we don't have
* the clearenv() function */
#define ENV_SIZE 100
@@ -293,6 +303,8 @@ etc) slower (perhaps by 50%). Recommende
#define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
in a few years time.... */
+#define DROPBEAR_MAX_CLI_PASS 1024
+
#ifndef ENABLE_X11FWD
#define DISABLE_X11FWD
#endif
@@ -330,6 +342,14 @@ etc) slower (perhaps by 50%). Recommende
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif
+#if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET)
+#error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once"
+#endif
+
+#if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET)
+#error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h"
+#endif
+
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
* code, if we're just compiling as client or server */
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)