mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-18 10:46:41 +00:00
2cd414c33e
don't mention SHA1 in order to not confuse users - SHA1 support is already disabled (except RSA-SHA1 signagures). ref: https://github.com/openwrt/openwrt/issues/15281 Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
197 lines
4.8 KiB
Plaintext
197 lines
4.8 KiB
Plaintext
menu "Configuration"
|
|
depends on PACKAGE_dropbear
|
|
|
|
config DROPBEAR_CURVE25519
|
|
bool "Curve25519 support"
|
|
default y
|
|
help
|
|
This enables the following key exchange algorithm:
|
|
curve25519-sha256@libssh.org
|
|
|
|
Increases binary size by about 4 kB (MIPS).
|
|
|
|
config DROPBEAR_ECC
|
|
bool "Elliptic curve cryptography (ECC)"
|
|
help
|
|
Enables basic support for elliptic curve cryptography (ECC)
|
|
in key exchange and public key authentication.
|
|
|
|
Key exchange algorithms:
|
|
ecdh-sha2-nistp256
|
|
|
|
Public key algorithms:
|
|
ecdsa-sha2-nistp256
|
|
|
|
Increases binary size by about 24 kB (MIPS).
|
|
|
|
Note: select DROPBEAR_ECC_FULL if full ECC support is required.
|
|
|
|
config DROPBEAR_ECC_FULL
|
|
bool "Elliptic curve cryptography (ECC), full support"
|
|
depends on DROPBEAR_ECC
|
|
help
|
|
Enables full support for elliptic curve cryptography (ECC)
|
|
in key exchange and public key authentication.
|
|
|
|
Key exchange algorithms:
|
|
ecdh-sha2-nistp256 (*)
|
|
ecdh-sha2-nistp384
|
|
ecdh-sha2-nistp521
|
|
|
|
Public key algorithms:
|
|
ecdsa-sha2-nistp256 (*)
|
|
ecdsa-sha2-nistp384
|
|
ecdsa-sha2-nistp521
|
|
|
|
(*) - basic ECC support; provided by DROPBEAR_ECC.
|
|
|
|
Increases binary size by about 4 kB (MIPS).
|
|
|
|
config DROPBEAR_ED25519
|
|
bool "Ed25519 support"
|
|
default y if !SMALL_FLASH
|
|
help
|
|
This enables the following public key algorithm:
|
|
ssh-ed25519
|
|
|
|
Increases binary size by about 12 kB (MIPS).
|
|
|
|
config DROPBEAR_CHACHA20POLY1305
|
|
bool "Chacha20-Poly1305 support"
|
|
default y
|
|
help
|
|
This enables the following authenticated encryption cipher:
|
|
chacha20-poly1305@openssh.com
|
|
|
|
Increases binary size by about 4 kB (MIPS).
|
|
|
|
config DROPBEAR_U2F
|
|
bool "U2F/FIDO support"
|
|
default y
|
|
help
|
|
This option itself doesn't enable any support for U2F/FIDO
|
|
but subordinate options do:
|
|
|
|
- DROPBEAR_ECDSA_SK - ecdsa-sk keys support
|
|
depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)")
|
|
- DROPBEAR_ED25519_SK - ed25519-sk keys support
|
|
depends on DROPBEAR_ED25519 ("Ed25519 support")
|
|
|
|
config DROPBEAR_ECDSA_SK
|
|
bool "ECDSA-SK support"
|
|
default y
|
|
depends on DROPBEAR_U2F && DROPBEAR_ECC
|
|
help
|
|
This enables the following public key algorithm:
|
|
sk-ecdsa-sha2-nistp256@openssh.com
|
|
|
|
config DROPBEAR_ED25519_SK
|
|
bool "Ed25519-SK support"
|
|
default y
|
|
depends on DROPBEAR_U2F && DROPBEAR_ED25519
|
|
help
|
|
This enables the following public key algorithm:
|
|
sk-ssh-ed25519@openssh.com
|
|
|
|
config DROPBEAR_ZLIB
|
|
bool "Enable compression"
|
|
help
|
|
Enables compression using shared zlib library.
|
|
|
|
Increases binary size by about 0.1 kB (MIPS) and requires
|
|
additional 62 kB (MIPS) for a shared zlib library.
|
|
|
|
config DROPBEAR_UTMP
|
|
bool "Utmp support"
|
|
depends on BUSYBOX_CONFIG_FEATURE_UTMP
|
|
help
|
|
This enables dropbear utmp support, the file /var/run/utmp is
|
|
used to track who is currently logged in.
|
|
|
|
config DROPBEAR_PUTUTLINE
|
|
bool "Pututline support"
|
|
depends on DROPBEAR_UTMP
|
|
help
|
|
Dropbear will use pututline() to write the utmp structure into
|
|
the utmp file.
|
|
|
|
config DROPBEAR_DBCLIENT
|
|
bool "Build dropbear with dbclient"
|
|
default y
|
|
|
|
config DROPBEAR_ASKPASS
|
|
bool "Enable askpass helper support"
|
|
depends on DROPBEAR_DBCLIENT
|
|
help
|
|
This enables support for ssh-askpass helper in dropbear client
|
|
in order to authenticate on remote hosts.
|
|
|
|
Increases binary size by about 0.1 kB (MIPS).
|
|
|
|
config DROPBEAR_DBCLIENT_AGENTFORWARD
|
|
bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
|
|
default y
|
|
depends on DROPBEAR_DBCLIENT
|
|
help
|
|
Increases binary size by about 0.1 kB (MIPS).
|
|
|
|
Security notes:
|
|
|
|
SSH agent forwarding might cause security issues (locally and
|
|
on the jump machine).
|
|
|
|
Hovewer, it's enabled by default for compatibility with
|
|
previous OpenWrt/dropbear releases.
|
|
|
|
Consider DISABLING this option if you're building own OpenWrt
|
|
image.
|
|
|
|
Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
|
|
server itself).
|
|
|
|
config DROPBEAR_SCP
|
|
bool "Build dropbear with scp"
|
|
default y
|
|
|
|
config DROPBEAR_AGENTFORWARD
|
|
bool "Enable agent forwarding [LEGACY/SECURITY]"
|
|
default y
|
|
help
|
|
Increases binary size by about 0.1 kB (MIPS).
|
|
|
|
Security notes:
|
|
|
|
SSH agent forwarding might cause security issues (locally and
|
|
on the jump machine).
|
|
|
|
Hovewer, it's enabled by default for compatibility with
|
|
previous OpenWrt/dropbear releases.
|
|
|
|
Consider DISABLING this option if you're building own OpenWrt
|
|
image.
|
|
|
|
Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
|
|
dropbear client) if DROPBEAR_DBCLIENT is selected.
|
|
|
|
config DROPBEAR_MODERN_ONLY
|
|
bool "Use modern crypto only [BREAKS COMPATIBILITY]"
|
|
select DROPBEAR_ED25519
|
|
select DROPBEAR_CURVE25519
|
|
select DROPBEAR_CHACHA20POLY1305
|
|
help
|
|
This option enables:
|
|
- Chacha20-Poly1305
|
|
- Curve25519
|
|
- Ed25519
|
|
and disables:
|
|
- AES
|
|
- RSA
|
|
|
|
Reduces binary size by about 64 kB (MIPS) from default
|
|
configuration.
|
|
|
|
Consider enabling this option if you're building own OpenWrt
|
|
image and using modern SSH software everywhere.
|
|
|
|
endmenu
|