The unified diff between revisions [63ea0f9a..] and [d815305b..] is displayed below. It can also be downloaded as a raw diff.
This diff has been restricted to the following files: 'options.h'
#
#
# patch "options.h"
# from [4bfe6850de1ff24e37f06c6acb7800a72e2ce0b5]
# to [10960130a5d973ea77ade620de02bc4373ff9ad4]
#
============================================================
--- options.h 4bfe6850de1ff24e37f06c6acb7800a72e2ce0b5
+++ options.h 10960130a5d973ea77ade620de02bc4373ff9ad4
@@ -96,9 +96,7 @@ etc) slower (perhaps by 50%). Recommende
* if the random number source isn't good. In general this isn't required */
/* #define DSS_PROTOK */
-/* Whether to do reverse DNS lookups. This is advisable, though will add
- * code size with gethostbyname() etc, so for very small environments where
- * you are statically linking, you might want to undefine this */
+/* Whether to do reverse DNS lookups. */
#define DO_HOST_LOOKUP
/* Whether to print the message of the day (MOTD). This doesn't add much code
@@ -113,13 +111,11 @@ etc) slower (perhaps by 50%). Recommende
/* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */
-/* PAM auth is quite simple, and only works for PAM modules which just do a
- * simple "Login: " "Password: " (or something like that - if your module is
- * similar but not quite like that, edit the strings in svr-authpam.c).
- * Basically, it's useful for systems like OS X where standard password crypts
- * don't work, but there's and interface via a PAM module. You'll need to
- * configure with --enable-pam as well, since it's off by default. And you
- * should only enable either PASSWORD _or_ PAM auth, not both. */
+/* Note: PAM auth is quite simple, and only works for PAM modules which just do
+ * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
+ * It's useful for systems like OS X where standard password crypts don't work,
+ * but there's an interface via a PAM module - don't bother using it otherwise.
+ * You can't enable both PASSWORD and PAM. */
#define ENABLE_SVR_PASSWORD_AUTH
/*#define ENABLE_SVR_PAM_AUTH*/
@@ -128,20 +124,30 @@ etc) slower (perhaps by 50%). Recommende
#define ENABLE_CLI_PASSWORD_AUTH
#define ENABLE_CLI_PUBKEY_AUTH
-/* Random device to use - you must specify _one only_.
- * DEV_URANDOM is recommended on hosts with a good /dev/urandom, otherwise use
- * PRNGD and run prngd, specifying the socket. This device must be able to
- * produce a large amount of random data, so using /dev/random or Entropy
- * Gathering Daemon (egd) may result in halting, as it waits for more random
- * data */
-#define DROPBEAR_DEV_URANDOM /* use /dev/urandom */
+/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
+ * specified in the SSH_ASKPASS environment variable, and dbclient
+ * should be run with DISPLAY set and no tty. The program should
+ * return the password on standard output */
+/*#define ENABLE_CLI_ASKPASS_HELPER*/
-/*#undef DROPBEAR_PRNGD */ /* use prngd socket - you must manually set up prngd
- to produce output */
-#ifndef DROPBEAR_PRNGD_SOCKET
-#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
-#endif
+/* Random device to use - define either DROPBEAR_RANDOM_DEV or
+ * DROPBEAR_PRNGD_SOCKET.
+ * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random,
+ * otherwise use run prngd (or egd if you want), specifying the socket.
+ * The device will be queried for a few dozen bytes of seed a couple of times
+ * per session (or more for very long-lived sessions). */
+/* If you are lacking entropy on the system then using /dev/urandom
+ * will prevent Dropbear from blocking on the device. This could
+ * however significantly reduce the security of your ssh connections
+ * if the PRNG state becomes guessable - make sure you know what you are
+ * doing if you change this. */
+#define DROPBEAR_RANDOM_DEV "/dev/random"
+
+/* prngd must be manually set up to produce output */
+/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
+
/* Specify the number of clients we will allow to be connected but
* not yet authenticated. After this limit, connections are rejected */
#ifndef MAX_UNAUTH_CLIENTS
@@ -183,7 +189,7 @@ etc) slower (perhaps by 50%). Recommende
*******************************************************************/
#ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.44test4"
+#define DROPBEAR_VERSION "0.45"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@@ -213,8 +219,6 @@ etc) slower (perhaps by 50%). Recommende
#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
#define MAX_BANNER_LINES 20 /* How many lines the client will display */
-#define DEV_URANDOM "/dev/urandom"
-
/* the number of NAME=VALUE pairs to malloc for environ, if we don't have
* the clearenv() function */
#define ENV_SIZE 100
@@ -299,6 +303,8 @@ etc) slower (perhaps by 50%). Recommende
#define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
in a few years time.... */
+#define DROPBEAR_MAX_CLI_PASS 1024
+
#ifndef ENABLE_X11FWD
#define DISABLE_X11FWD
#endif
@@ -336,6 +342,14 @@ etc) slower (perhaps by 50%). Recommende
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif
+#if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET)
+#error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once"
+#endif
+
+#if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET)
+#error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h"
+#endif
+
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
* code, if we're just compiling as client or server */
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)