dropbear: minor config clarification

- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
  and DROPBEAR_DBCLIENT_AGENTFORWARD:
  describe why and where it should be disabled

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

1 files changed, 41 insertions, 14 deletions

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index d4644fc88f..449cc2a421 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -12,7 +12,6 @@ config DROPBEAR_CURVE25519
 
 config DROPBEAR_ECC
 	bool "Elliptic curve cryptography (ECC)"
-	default n
 	help
 		Enables basic support for elliptic curve cryptography (ECC)
 		in key exchange and public key authentication.
@@ -25,11 +24,10 @@ config DROPBEAR_ECC
 
 		Increases binary size by about 24 kB (MIPS).
 
-		If full ECC support is required, also select DROPBEAR_ECC_FULL.
+		Note: select DROPBEAR_ECC_FULL if full ECC support is required.
 
 config DROPBEAR_ECC_FULL
 	bool "Elliptic curve cryptography (ECC), full support"
-	default n
 	depends on DROPBEAR_ECC
 	help
 		Enables full support for elliptic curve cryptography (ECC)
@@ -69,36 +67,50 @@ config DROPBEAR_CHACHA20POLY1305
 
 config DROPBEAR_ZLIB
 	bool "Enable compression"
-	default n
 	help
 		Enables compression using shared zlib library.
 
-		Increases binary size by about 0.1 kB (MIPS) and requires additional 62 kB (MIPS)
-		for a shared zlib library.
+		Increases binary size by about 0.1 kB (MIPS) and requires
+		additional 62 kB (MIPS) for a shared zlib library.
 
 config DROPBEAR_UTMP
 	bool "Utmp support"
-	default n
 	depends on BUSYBOX_CONFIG_FEATURE_UTMP
 	help
-		This enables dropbear utmp support, the file /var/run/utmp is used to
-		track who is currently logged in.
+		This enables dropbear utmp support, the file /var/run/utmp is
+		used to track who is currently logged in.
 
 config DROPBEAR_PUTUTLINE
 	bool "Pututline support"
-	default n
 	depends on DROPBEAR_UTMP
 	help
-		Dropbear will use pututline() to write the utmp structure into the utmp file.
+		Dropbear will use pututline() to write the utmp structure into
+		the utmp file.
 
 config DROPBEAR_DBCLIENT
 	bool "Build dropbear with dbclient"
 	default y
 
 config DROPBEAR_DBCLIENT_AGENTFORWARD
-	bool "Enable agent forwarding in dbclient"
+	bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
 	default y
 	depends on DROPBEAR_DBCLIENT
+	help
+		Increases binary size by about 0.1 kB (MIPS).
+
+		Security notes:
+
+		SSH agent forwarding might cause security issues (locally and
+		on the jump machine).
+
+		Hovewer, it's enabled by default for compatibility with
+		previous OpenWrt/dropbear releases.
+
+		Consider DISABLING this option if you're building own OpenWrt
+		image.
+
+		Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
+		server itself).
 
 config DROPBEAR_SCP
 	bool "Build dropbear with scp"
@@ -106,7 +118,6 @@ config DROPBEAR_SCP
 
 config DROPBEAR_ASKPASS
 	bool "Enable askpass helper support"
-	default n
 	depends on DROPBEAR_DBCLIENT
 	help
 		This enables support for ssh-askpass helper in dropbear client
@@ -115,7 +126,23 @@ config DROPBEAR_ASKPASS
 		Increases binary size by about 0.1 kB (MIPS).
 
 config DROPBEAR_AGENTFORWARD
-	bool "Enable agent forwarding"
+	bool "Enable agent forwarding [LEGACY/SECURITY]"
 	default y
+	help
+		Increases binary size by about 0.1 kB (MIPS).
+
+		Security notes:
+
+		SSH agent forwarding might cause security issues (locally and
+		on the jump machine).
+
+		Hovewer, it's enabled by default for compatibility with
+		previous OpenWrt/dropbear releases.
+
+		Consider DISABLING this option if you're building own OpenWrt
+		image.
+
+		Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
+		dropbear client) if DROPBEAR_DBCLIENT is selected.
 
 endmenu