From 0b277f8659806f32d08dad081836523b93eee6b8 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 9 Jan 2024 03:40:01 +0300 Subject: [PATCH] dropbear: minor config clarification - "default n" is not needed: options are not selected by default - wrap config on 80 characters width (assuming tab is 8 characters long) - add feature cost size and security notes for DROPBEAR_AGENTFORWARD and DROPBEAR_DBCLIENT_AGENTFORWARD: describe why and where it should be disabled Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Config.in | 55 +++++++++++++++------ 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index d4644fc88f..449cc2a421 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -12,7 +12,6 @@ config DROPBEAR_CURVE25519 config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" - default n help Enables basic support for elliptic curve cryptography (ECC) in key exchange and public key authentication. @@ -25,11 +24,10 @@ config DROPBEAR_ECC Increases binary size by about 24 kB (MIPS). - If full ECC support is required, also select DROPBEAR_ECC_FULL. + Note: select DROPBEAR_ECC_FULL if full ECC support is required. config DROPBEAR_ECC_FULL bool "Elliptic curve cryptography (ECC), full support" - default n depends on DROPBEAR_ECC help Enables full support for elliptic curve cryptography (ECC) @@ -69,36 +67,50 @@ config DROPBEAR_CHACHA20POLY1305 config DROPBEAR_ZLIB bool "Enable compression" - default n help Enables compression using shared zlib library. - Increases binary size by about 0.1 kB (MIPS) and requires additional 62 kB (MIPS) - for a shared zlib library. + Increases binary size by about 0.1 kB (MIPS) and requires + additional 62 kB (MIPS) for a shared zlib library. config DROPBEAR_UTMP bool "Utmp support" - default n depends on BUSYBOX_CONFIG_FEATURE_UTMP help - This enables dropbear utmp support, the file /var/run/utmp is used to - track who is currently logged in. + This enables dropbear utmp support, the file /var/run/utmp is + used to track who is currently logged in. config DROPBEAR_PUTUTLINE bool "Pututline support" - default n depends on DROPBEAR_UTMP help - Dropbear will use pututline() to write the utmp structure into the utmp file. + Dropbear will use pututline() to write the utmp structure into + the utmp file. config DROPBEAR_DBCLIENT bool "Build dropbear with dbclient" default y config DROPBEAR_DBCLIENT_AGENTFORWARD - bool "Enable agent forwarding in dbclient" + bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]" default y depends on DROPBEAR_DBCLIENT + help + Increases binary size by about 0.1 kB (MIPS). + + Security notes: + + SSH agent forwarding might cause security issues (locally and + on the jump machine). + + Hovewer, it's enabled by default for compatibility with + previous OpenWrt/dropbear releases. + + Consider DISABLING this option if you're building own OpenWrt + image. + + Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear + server itself). config DROPBEAR_SCP bool "Build dropbear with scp" @@ -106,7 +118,6 @@ config DROPBEAR_SCP config DROPBEAR_ASKPASS bool "Enable askpass helper support" - default n depends on DROPBEAR_DBCLIENT help This enables support for ssh-askpass helper in dropbear client @@ -115,7 +126,23 @@ config DROPBEAR_ASKPASS Increases binary size by about 0.1 kB (MIPS). config DROPBEAR_AGENTFORWARD - bool "Enable agent forwarding" + bool "Enable agent forwarding [LEGACY/SECURITY]" default y + help + Increases binary size by about 0.1 kB (MIPS). + + Security notes: + + SSH agent forwarding might cause security issues (locally and + on the jump machine). + + Hovewer, it's enabled by default for compatibility with + previous OpenWrt/dropbear releases. + + Consider DISABLING this option if you're building own OpenWrt + image. + + Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in + dropbear client) if DROPBEAR_DBCLIENT is selected. endmenu -- 2.30.2