package/network/services/dropbear/Config.in

   1 menu "Configuration"
   2         depends on PACKAGE_dropbear
   3
   4 config DROPBEAR_CURVE25519
   5         bool "Curve25519 support"
   6         default y
   7         help
   8                 This enables the following key exchange algorithm:
   9                   curve25519-sha256@libssh.org
  10
  11                 Increases binary size by about 4 kB (MIPS).
  12
  13 config DROPBEAR_ECC
  14         bool "Elliptic curve cryptography (ECC)"
  15         help
  16                 Enables basic support for elliptic curve cryptography (ECC)
  17                 in key exchange and public key authentication.
  18
  19                 Key exchange algorithms:
  20                   ecdh-sha2-nistp256
  21
  22                 Public key algorithms:
  23                   ecdsa-sha2-nistp256
  24
  25                 Increases binary size by about 24 kB (MIPS).
  26
  27                 Note: select DROPBEAR_ECC_FULL if full ECC support is required.
  28
  29 config DROPBEAR_ECC_FULL
  30         bool "Elliptic curve cryptography (ECC), full support"
  31         depends on DROPBEAR_ECC
  32         help
  33                 Enables full support for elliptic curve cryptography (ECC)
  34                 in key exchange and public key authentication.
  35
  36                 Key exchange algorithms:
  37                   ecdh-sha2-nistp256 (*)
  38                   ecdh-sha2-nistp384
  39                   ecdh-sha2-nistp521
  40
  41                 Public key algorithms:
  42                   ecdsa-sha2-nistp256 (*)
  43                   ecdsa-sha2-nistp384
  44                   ecdsa-sha2-nistp521
  45
  46                 (*) - basic ECC support; provided by DROPBEAR_ECC.
  47
  48                 Increases binary size by about 4 kB (MIPS).
  49
  50 config DROPBEAR_ED25519
  51         bool "Ed25519 support"
  52         default y if !SMALL_FLASH
  53         help
  54                 This enables the following public key algorithm:
  55                   ssh-ed25519
  56
  57                 Increases binary size by about 12 kB (MIPS).
  58
  59 config DROPBEAR_CHACHA20POLY1305
  60         bool "Chacha20-Poly1305 support"
  61         default y
  62         help
  63                 This enables the following authenticated encryption cipher:
  64                   chacha20-poly1305@openssh.com
  65
  66                 Increases binary size by about 4 kB (MIPS).
  67
  68 config DROPBEAR_U2F
  69         bool "U2F/FIDO support"
  70         default y
  71         help
  72                 This option itself doesn't enable any support for U2F/FIDO
  73                 but subordinate options do:
  74
  75                 - DROPBEAR_ECDSA_SK   - ecdsa-sk keys support
  76                   depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)")
  77                 - DROPBEAR_ED25519_SK - ed25519-sk keys support
  78                   depends on DROPBEAR_ED25519 ("Ed25519 support")
  79
  80 config DROPBEAR_ECDSA_SK
  81         bool "ECDSA-SK support"
  82         default y
  83         depends on DROPBEAR_U2F && DROPBEAR_ECC
  84         help
  85                 This enables the following public key algorithm:
  86                   sk-ecdsa-sha2-nistp256@openssh.com
  87
  88 config DROPBEAR_ED25519_SK
  89         bool "Ed25519-SK support"
  90         default y
  91         depends on DROPBEAR_U2F && DROPBEAR_ED25519
  92         help
  93                 This enables the following public key algorithm:
  94                   sk-ssh-ed25519@openssh.com
  95
  96 config DROPBEAR_ZLIB
  97         bool "Enable compression"
  98         help
  99                 Enables compression using shared zlib library.
 100
 101                 Increases binary size by about 0.1 kB (MIPS) and requires
 102                 additional 62 kB (MIPS) for a shared zlib library.
 103
 104 config DROPBEAR_UTMP
 105         bool "Utmp support"
 106         depends on BUSYBOX_CONFIG_FEATURE_UTMP
 107         help
 108                 This enables dropbear utmp support, the file /var/run/utmp is
 109                 used to track who is currently logged in.
 110
 111 config DROPBEAR_PUTUTLINE
 112         bool "Pututline support"
 113         depends on DROPBEAR_UTMP
 114         help
 115                 Dropbear will use pututline() to write the utmp structure into
 116                 the utmp file.
 117
 118 config DROPBEAR_DBCLIENT
 119         bool "Build dropbear with dbclient"
 120         default y
 121
 122 config DROPBEAR_DBCLIENT_AGENTFORWARD
 123         bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
 124         default y
 125         depends on DROPBEAR_DBCLIENT
 126         help
 127                 Increases binary size by about 0.1 kB (MIPS).
 128
 129                 Security notes:
 130
 131                 SSH agent forwarding might cause security issues (locally and
 132                 on the jump machine).
 133
 134                 Hovewer, it's enabled by default for compatibility with
 135                 previous OpenWrt/dropbear releases.
 136
 137                 Consider DISABLING this option if you're building own OpenWrt
 138                 image.
 139
 140                 Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
 141                 server itself).
 142
 143 config DROPBEAR_SCP
 144         bool "Build dropbear with scp"
 145         default y
 146
 147 config DROPBEAR_ASKPASS
 148         bool "Enable askpass helper support"
 149         depends on DROPBEAR_DBCLIENT
 150         help
 151                 This enables support for ssh-askpass helper in dropbear client
 152                 in order to authenticate on remote hosts.
 153
 154                 Increases binary size by about 0.1 kB (MIPS).
 155
 156 config DROPBEAR_AGENTFORWARD
 157         bool "Enable agent forwarding [LEGACY/SECURITY]"
 158         default y
 159         help
 160                 Increases binary size by about 0.1 kB (MIPS).
 161
 162                 Security notes:
 163
 164                 SSH agent forwarding might cause security issues (locally and
 165                 on the jump machine).
 166
 167                 Hovewer, it's enabled by default for compatibility with
 168                 previous OpenWrt/dropbear releases.
 169
 170                 Consider DISABLING this option if you're building own OpenWrt
 171                 image.
 172
 173                 Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
 174                 dropbear client) if DROPBEAR_DBCLIENT is selected.
 175
 176 config DROPBEAR_MODERN_ONLY
 177         bool "Use modern crypto only [BREAKS COMPATIBILITY]"
 178         select DROPBEAR_ED25519
 179         select DROPBEAR_CURVE25519
 180         select DROPBEAR_CHACHA20POLY1305
 181         help
 182                 This option enables:
 183                  - Chacha20-Poly1305
 184                  - Curve25519
 185                  - Ed25519
 186                 and disables:
 187                  - AES
 188                  - RSA
 189                  - SHA1
 190
 191                 Reduces binary size by about 64 kB (MIPS) from default
 192                 configuration.
 193
 194                 Consider enabling this option if you're building own OpenWrt
 195                 image and using modern SSH software everywhere.
 196
 197 endmenu