| menu "Configuration" |
| depends on PACKAGE_dropbear |
| |
| config DROPBEAR_CURVE25519 |
| bool "Curve25519 support" |
| default y |
| help |
| This enables the following key exchange algorithm: |
| curve25519-sha256@libssh.org |
| |
| Increases binary size by about 4 kB (MIPS). |
| |
| config DROPBEAR_ECC |
| bool "Elliptic curve cryptography (ECC)" |
| help |
| Enables basic support for elliptic curve cryptography (ECC) |
| in key exchange and public key authentication. |
| |
| Key exchange algorithms: |
| ecdh-sha2-nistp256 |
| |
| Public key algorithms: |
| ecdsa-sha2-nistp256 |
| |
| Increases binary size by about 24 kB (MIPS). |
| |
| Note: select DROPBEAR_ECC_FULL if full ECC support is required. |
| |
| config DROPBEAR_ECC_FULL |
| bool "Elliptic curve cryptography (ECC), full support" |
| depends on DROPBEAR_ECC |
| help |
| Enables full support for elliptic curve cryptography (ECC) |
| in key exchange and public key authentication. |
| |
| Key exchange algorithms: |
| ecdh-sha2-nistp256 (*) |
| ecdh-sha2-nistp384 |
| ecdh-sha2-nistp521 |
| |
| Public key algorithms: |
| ecdsa-sha2-nistp256 (*) |
| ecdsa-sha2-nistp384 |
| ecdsa-sha2-nistp521 |
| |
| (*) - basic ECC support; provided by DROPBEAR_ECC. |
| |
| Increases binary size by about 4 kB (MIPS). |
| |
| config DROPBEAR_ED25519 |
| bool "Ed25519 support" |
| default y if !SMALL_FLASH |
| help |
| This enables the following public key algorithm: |
| ssh-ed25519 |
| |
| Increases binary size by about 12 kB (MIPS). |
| |
| config DROPBEAR_CHACHA20POLY1305 |
| bool "Chacha20-Poly1305 support" |
| default y |
| help |
| This enables the following authenticated encryption cipher: |
| chacha20-poly1305@openssh.com |
| |
| Increases binary size by about 4 kB (MIPS). |
| |
| config DROPBEAR_U2F |
| bool "U2F/FIDO support" |
| default y |
| help |
| This option itself doesn't enable any support for U2F/FIDO |
| but subordinate options do: |
| |
| - DROPBEAR_ECDSA_SK - ecdsa-sk keys support |
| depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)") |
| - DROPBEAR_ED25519_SK - ed25519-sk keys support |
| depends on DROPBEAR_ED25519 ("Ed25519 support") |
| |
| config DROPBEAR_ECDSA_SK |
| bool "ECDSA-SK support" |
| default y |
| depends on DROPBEAR_U2F && DROPBEAR_ECC |
| help |
| This enables the following public key algorithm: |
| sk-ecdsa-sha2-nistp256@openssh.com |
| |
| config DROPBEAR_ED25519_SK |
| bool "Ed25519-SK support" |
| default y |
| depends on DROPBEAR_U2F && DROPBEAR_ED25519 |
| help |
| This enables the following public key algorithm: |
| sk-ssh-ed25519@openssh.com |
| |
| config DROPBEAR_ZLIB |
| bool "Enable compression" |
| help |
| Enables compression using shared zlib library. |
| |
| Increases binary size by about 0.1 kB (MIPS) and requires |
| additional 62 kB (MIPS) for a shared zlib library. |
| |
| config DROPBEAR_UTMP |
| bool "Utmp support" |
| depends on BUSYBOX_CONFIG_FEATURE_UTMP |
| help |
| This enables dropbear utmp support, the file /var/run/utmp is |
| used to track who is currently logged in. |
| |
| config DROPBEAR_PUTUTLINE |
| bool "Pututline support" |
| depends on DROPBEAR_UTMP |
| help |
| Dropbear will use pututline() to write the utmp structure into |
| the utmp file. |
| |
| config DROPBEAR_DBCLIENT |
| bool "Build dropbear with dbclient" |
| default y |
| |
| config DROPBEAR_ASKPASS |
| bool "Enable askpass helper support" |
| depends on DROPBEAR_DBCLIENT |
| help |
| This enables support for ssh-askpass helper in dropbear client |
| in order to authenticate on remote hosts. |
| |
| Increases binary size by about 0.1 kB (MIPS). |
| |
| config DROPBEAR_DBCLIENT_AGENTFORWARD |
| bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]" |
| default y |
| depends on DROPBEAR_DBCLIENT |
| help |
| Increases binary size by about 0.1 kB (MIPS). |
| |
| Security notes: |
| |
| SSH agent forwarding might cause security issues (locally and |
| on the jump machine). |
| |
| Hovewer, it's enabled by default for compatibility with |
| previous OpenWrt/dropbear releases. |
| |
| Consider DISABLING this option if you're building own OpenWrt |
| image. |
| |
| Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear |
| server itself). |
| |
| config DROPBEAR_SCP |
| bool "Build dropbear with scp" |
| default y |
| |
| config DROPBEAR_AGENTFORWARD |
| bool "Enable agent forwarding [LEGACY/SECURITY]" |
| default y |
| help |
| Increases binary size by about 0.1 kB (MIPS). |
| |
| Security notes: |
| |
| SSH agent forwarding might cause security issues (locally and |
| on the jump machine). |
| |
| Hovewer, it's enabled by default for compatibility with |
| previous OpenWrt/dropbear releases. |
| |
| Consider DISABLING this option if you're building own OpenWrt |
| image. |
| |
| Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in |
| dropbear client) if DROPBEAR_DBCLIENT is selected. |
| |
| config DROPBEAR_MODERN_ONLY |
| bool "Use modern crypto only [BREAKS COMPATIBILITY]" |
| select DROPBEAR_ED25519 |
| select DROPBEAR_CURVE25519 |
| select DROPBEAR_CHACHA20POLY1305 |
| help |
| This option enables: |
| - Chacha20-Poly1305 |
| - Curve25519 |
| - Ed25519 |
| and disables: |
| - AES |
| - RSA |
| |
| Reduces binary size by about 64 kB (MIPS) from default |
| configuration. |
| |
| Consider enabling this option if you're building own OpenWrt |
| image and using modern SSH software everywhere. |
| |
| endmenu |