blob: 7ffe7684d4a47e10ca8e0ee5bfcbf0d5d11405e7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
menu "Configuration"
depends on PACKAGE_dropbear
config DROPBEAR_CURVE25519
bool "Curve25519 support"
default y
help
This enables the following key exchange algorithm:
curve25519-sha256@libssh.org
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
help
Enables basic support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256
Public key algorithms:
ecdsa-sha2-nistp256
Increases binary size by about 24 kB (MIPS).
Note: select DROPBEAR_ECC_FULL if full ECC support is required.
config DROPBEAR_ECC_FULL
bool "Elliptic curve cryptography (ECC), full support"
depends on DROPBEAR_ECC
help
Enables full support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Public key algorithms:
ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
(*) - basic ECC support; provided by DROPBEAR_ECC.
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ED25519
bool "Ed25519 support"
default y if !SMALL_FLASH
help
This enables the following public key algorithm:
ssh-ed25519
Increases binary size by about 12 kB (MIPS).
config DROPBEAR_CHACHA20POLY1305
bool "Chacha20-Poly1305 support"
default y
help
This enables the following authenticated encryption cipher:
chacha20-poly1305@openssh.com
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_U2F
bool "U2F/FIDO support"
default y
help
This option itself doesn't enable any support for U2F/FIDO
but subordinate options do:
- DROPBEAR_ECDSA_SK - ecdsa-sk keys support
depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)")
- DROPBEAR_ED25519_SK - ed25519-sk keys support
depends on DROPBEAR_ED25519 ("Ed25519 support")
config DROPBEAR_ECDSA_SK
bool "ECDSA-SK support"
default y
depends on DROPBEAR_U2F && DROPBEAR_ECC
help
This enables the following public key algorithm:
sk-ecdsa-sha2-nistp256@openssh.com
config DROPBEAR_ED25519_SK
bool "Ed25519-SK support"
default y
depends on DROPBEAR_U2F && DROPBEAR_ED25519
help
This enables the following public key algorithm:
sk-ssh-ed25519@openssh.com
config DROPBEAR_ZLIB
bool "Enable compression"
help
Enables compression using shared zlib library.
Increases binary size by about 0.1 kB (MIPS) and requires
additional 62 kB (MIPS) for a shared zlib library.
config DROPBEAR_UTMP
bool "Utmp support"
depends on BUSYBOX_CONFIG_FEATURE_UTMP
help
This enables dropbear utmp support, the file /var/run/utmp is
used to track who is currently logged in.
config DROPBEAR_PUTUTLINE
bool "Pututline support"
depends on DROPBEAR_UTMP
help
Dropbear will use pututline() to write the utmp structure into
the utmp file.
config DROPBEAR_DBCLIENT
bool "Build dropbear with dbclient"
default y
config DROPBEAR_ASKPASS
bool "Enable askpass helper support"
depends on DROPBEAR_DBCLIENT
help
This enables support for ssh-askpass helper in dropbear client
in order to authenticate on remote hosts.
Increases binary size by about 0.1 kB (MIPS).
config DROPBEAR_DBCLIENT_AGENTFORWARD
bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
default y
depends on DROPBEAR_DBCLIENT
help
Increases binary size by about 0.1 kB (MIPS).
Security notes:
SSH agent forwarding might cause security issues (locally and
on the jump machine).
Hovewer, it's enabled by default for compatibility with
previous OpenWrt/dropbear releases.
Consider DISABLING this option if you're building own OpenWrt
image.
Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
server itself).
config DROPBEAR_SCP
bool "Build dropbear with scp"
default y
config DROPBEAR_AGENTFORWARD
bool "Enable agent forwarding [LEGACY/SECURITY]"
default y
help
Increases binary size by about 0.1 kB (MIPS).
Security notes:
SSH agent forwarding might cause security issues (locally and
on the jump machine).
Hovewer, it's enabled by default for compatibility with
previous OpenWrt/dropbear releases.
Consider DISABLING this option if you're building own OpenWrt
image.
Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
dropbear client) if DROPBEAR_DBCLIENT is selected.
config DROPBEAR_MODERN_ONLY
bool "Use modern crypto only [BREAKS COMPATIBILITY]"
select DROPBEAR_ED25519
select DROPBEAR_CURVE25519
select DROPBEAR_CHACHA20POLY1305
help
This option enables:
- Chacha20-Poly1305
- Curve25519
- Ed25519
and disables:
- AES
- RSA
- SHA1
Reduces binary size by about 64 kB (MIPS) from default
configuration.
Consider enabling this option if you're building own OpenWrt
image and using modern SSH software everywhere.
endmenu
|