dropbear: adjust configuration
- add new options:
- DROPBEAR_DEFAULT_MAX_DURATION
- DROPBEAR_MAX_PUBKEY_QUERIES
- fix DROPBEAR_MLKEM768 description (fixes commit d8ff2d8cba)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Konstantin Demin
Hauke Mehrtens
parent
99b681934d
commit
5d5208882a
@ -535,6 +535,28 @@ menu "Resource limits"
|
|||||||
Possible values: 1 to 80 (from src/sysoptions.h)
|
Possible values: 1 to 80 (from src/sysoptions.h)
|
||||||
Default: 10
|
Default: 10
|
||||||
|
|
||||||
|
config DROPBEAR_MAX_PUBKEY_QUERIES
|
||||||
|
int "Max. public key queries per session"
|
||||||
|
range 1 80
|
||||||
|
default 15
|
||||||
|
help
|
||||||
|
Default maximum number of public key queries per session (server option).
|
||||||
|
|
||||||
|
Public key queries aren't a risk for brute forcing authentication,
|
||||||
|
but can be a user enumeration/privacy concern if an attacker
|
||||||
|
attempts to iterate known public keys such as those published by GitHub.
|
||||||
|
|
||||||
|
This limit has a trade-off. Having a smaller limit reduces the number
|
||||||
|
of legitimate public keys that can be presented by a client/ssh agent.
|
||||||
|
|
||||||
|
That is still a risk against a single host,
|
||||||
|
but this limit may deter internet-wide scanning.
|
||||||
|
|
||||||
|
If -T argument or DROPBEAR_MAX_AUTH_TRIES is larger that will be used instead.
|
||||||
|
|
||||||
|
Possible values: 1 to 80 (same as for DROPBEAR_MAX_AUTH_TRIES)
|
||||||
|
Default: 15
|
||||||
|
|
||||||
config DROPBEAR_UNAUTH_CLOSE_DELAY
|
config DROPBEAR_UNAUTH_CLOSE_DELAY
|
||||||
int "Delay closing unauth. connections (seconds)"
|
int "Delay closing unauth. connections (seconds)"
|
||||||
range 0 3600
|
range 0 3600
|
||||||
@ -640,6 +662,21 @@ menu "Resource limits"
|
|||||||
Possible values: 0 to 604800 (7 days)
|
Possible values: 0 to 604800 (7 days)
|
||||||
Default: 0 (disabled).
|
Default: 0 (disabled).
|
||||||
|
|
||||||
|
config DROPBEAR_DEFAULT_MAX_DURATION
|
||||||
|
int "Default max. session duration (seconds)"
|
||||||
|
range 0 604800
|
||||||
|
default 0
|
||||||
|
help
|
||||||
|
If session duration exceeds specified limit, disconnect.
|
||||||
|
Applies to both server and client.
|
||||||
|
|
||||||
|
Note: values below 30 seconds are not recommended.
|
||||||
|
|
||||||
|
This can be changed at run-time with the -M argument.
|
||||||
|
|
||||||
|
Possible values: 0 to 604800 (7 days)
|
||||||
|
Default: 0 (disabled).
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
## </RESOURCE LIMITS>
|
## </RESOURCE LIMITS>
|
||||||
|
|
||||||
@ -984,7 +1021,7 @@ menu "Encryption options"
|
|||||||
|
|
||||||
Post-quantum KEM can avoid harvest-now-decrypt-later style attacks.
|
Post-quantum KEM can avoid harvest-now-decrypt-later style attacks.
|
||||||
|
|
||||||
Default: enabled, except devices with very small flash.
|
Default: disabled.
|
||||||
|
|
||||||
config DROPBEAR_SNTRUP761
|
config DROPBEAR_SNTRUP761
|
||||||
bool "sntrup761 [POST-QUANTUM]"
|
bool "sntrup761 [POST-QUANTUM]"
|
||||||
|
|||||||
@ -32,7 +32,7 @@ PKG_CONFIG_DEPENDS:= \
|
|||||||
CONFIG_DROPBEAR_DO_HOST_LOOKUP CONFIG_DROPBEAR_SVR_PUBKEY_OPTIONS CONFIG_DROPBEAR_LASTLOG CONFIG_DROPBEAR_LASTLOG_PATH CONFIG_DROPBEAR_WTMP CONFIG_DROPBEAR_WTMP_PATH CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_UTMP_PATH CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_LOGINFUNC \
|
CONFIG_DROPBEAR_DO_HOST_LOOKUP CONFIG_DROPBEAR_SVR_PUBKEY_OPTIONS CONFIG_DROPBEAR_LASTLOG CONFIG_DROPBEAR_LASTLOG_PATH CONFIG_DROPBEAR_WTMP CONFIG_DROPBEAR_WTMP_PATH CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_UTMP_PATH CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_LOGINFUNC \
|
||||||
CONFIG_DROPBEAR_REEXEC CONFIG_DROPBEAR_ZLIB CONFIG_DROPBEAR_DELAY_HOSTKEY CONFIG_DROPBEAR_SVR_AGENTFWD CONFIG_DROPBEAR_SVR_REMOTETCPFWD CONFIG_DROPBEAR_SVR_LOCALTCPFWD CONFIG_DROPBEAR_SVR_LOCALSTREAMFWD CONFIG_DROPBEAR_X11FWD CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_SFTPSERVER \
|
CONFIG_DROPBEAR_REEXEC CONFIG_DROPBEAR_ZLIB CONFIG_DROPBEAR_DELAY_HOSTKEY CONFIG_DROPBEAR_SVR_AGENTFWD CONFIG_DROPBEAR_SVR_REMOTETCPFWD CONFIG_DROPBEAR_SVR_LOCALTCPFWD CONFIG_DROPBEAR_SVR_LOCALSTREAMFWD CONFIG_DROPBEAR_X11FWD CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_SFTPSERVER \
|
||||||
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_USER_ALGO_LIST CONFIG_DROPBEAR_USE_SSH_CONFIG CONFIG_DROPBEAR_CLI_IMMEDIATE_AUTH CONFIG_DROPBEAR_USE_PASSWORD_ENV CONFIG_DROPBEAR_CLI_ASKPASS_HELPER CONFIG_DROPBEAR_CLI_AGENTFWD CONFIG_DROPBEAR_CLI_LOCALTCPFWD CONFIG_DROPBEAR_CLI_REMOTETCPFWD CONFIG_DROPBEAR_CLI_PROXYCMD CONFIG_DROPBEAR_CLI_NETCAT CONFIG_DROPBEAR_CLI_MULTIHOP \
|
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_USER_ALGO_LIST CONFIG_DROPBEAR_USE_SSH_CONFIG CONFIG_DROPBEAR_CLI_IMMEDIATE_AUTH CONFIG_DROPBEAR_USE_PASSWORD_ENV CONFIG_DROPBEAR_CLI_ASKPASS_HELPER CONFIG_DROPBEAR_CLI_AGENTFWD CONFIG_DROPBEAR_CLI_LOCALTCPFWD CONFIG_DROPBEAR_CLI_REMOTETCPFWD CONFIG_DROPBEAR_CLI_PROXYCMD CONFIG_DROPBEAR_CLI_NETCAT CONFIG_DROPBEAR_CLI_MULTIHOP \
|
||||||
CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT CONFIG_DROPBEAR_KEX_REKEY_DATA CONFIG_DROPBEAR_AUTH_TIMEOUT CONFIG_DROPBEAR_MAX_AUTH_TRIES CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW CONFIG_DROPBEAR_DEFAULT_KEEPALIVE CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT \
|
CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT CONFIG_DROPBEAR_KEX_REKEY_DATA CONFIG_DROPBEAR_AUTH_TIMEOUT CONFIG_DROPBEAR_MAX_AUTH_TRIES CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW CONFIG_DROPBEAR_DEFAULT_KEEPALIVE CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT CONFIG_DROPBEAR_MAX_PUBKEY_QUERIES CONFIG_DROPBEAR_DEFAULT_MAX_DURATION \
|
||||||
CONFIG_DROPBEAR_3DES CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 CONFIG_DROPBEAR_CHACHA20POLY1305 \
|
CONFIG_DROPBEAR_3DES CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 CONFIG_DROPBEAR_CHACHA20POLY1305 \
|
||||||
CONFIG_DROPBEAR_ENABLE_CTR_MODE CONFIG_DROPBEAR_ENABLE_CBC_MODE CONFIG_DROPBEAR_ENABLE_GCM_MODE \
|
CONFIG_DROPBEAR_ENABLE_CTR_MODE CONFIG_DROPBEAR_ENABLE_CBC_MODE CONFIG_DROPBEAR_ENABLE_GCM_MODE \
|
||||||
CONFIG_DROPBEAR_SHA1_96_HMAC CONFIG_DROPBEAR_SHA1_HMAC CONFIG_DROPBEAR_SHA2_256_HMAC CONFIG_DROPBEAR_SHA2_512_HMAC \
|
CONFIG_DROPBEAR_SHA1_96_HMAC CONFIG_DROPBEAR_SHA1_HMAC CONFIG_DROPBEAR_SHA2_256_HMAC CONFIG_DROPBEAR_SHA2_512_HMAC \
|
||||||
@ -130,10 +130,12 @@ DB_OPT_COMMON = \
|
|||||||
DEFAULT_IDLE_TIMEOUT,$(CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT) \
|
DEFAULT_IDLE_TIMEOUT,$(CONFIG_DROPBEAR_DEFAULT_IDLE_TIMEOUT) \
|
||||||
DEFAULT_KEEPALIVE_LIMIT,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT) \
|
DEFAULT_KEEPALIVE_LIMIT,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE_LIMIT) \
|
||||||
DEFAULT_KEEPALIVE,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE) \
|
DEFAULT_KEEPALIVE,$(CONFIG_DROPBEAR_DEFAULT_KEEPALIVE) \
|
||||||
|
DEFAULT_MAX_DURATION,$(CONFIG_DROPBEAR_DEFAULT_MAX_DURATION) \
|
||||||
DEFAULT_RECV_WINDOW,$(CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW) \
|
DEFAULT_RECV_WINDOW,$(CONFIG_DROPBEAR_DEFAULT_RECV_WINDOW) \
|
||||||
KEX_REKEY_DATA,$(CONFIG_DROPBEAR_KEX_REKEY_DATA) \
|
KEX_REKEY_DATA,$(CONFIG_DROPBEAR_KEX_REKEY_DATA) \
|
||||||
KEX_REKEY_TIMEOUT,$(CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT) \
|
KEX_REKEY_TIMEOUT,$(CONFIG_DROPBEAR_KEX_REKEY_TIMEOUT) \
|
||||||
MAX_AUTH_TRIES,$(CONFIG_DROPBEAR_MAX_AUTH_TRIES) \
|
MAX_AUTH_TRIES,$(CONFIG_DROPBEAR_MAX_AUTH_TRIES) \
|
||||||
|
MAX_PUBKEY_QUERIES,$(CONFIG_DROPBEAR_MAX_PUBKEY_QUERIES) \
|
||||||
MAX_UNAUTH_CLIENTS,$(CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS) \
|
MAX_UNAUTH_CLIENTS,$(CONFIG_DROPBEAR_MAX_UNAUTH_CLIENTS) \
|
||||||
MAX_UNAUTH_PER_IP,$(CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP) \
|
MAX_UNAUTH_PER_IP,$(CONFIG_DROPBEAR_MAX_UNAUTH_PER_IP) \
|
||||||
UNAUTH_CLOSE_DELAY,$(CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY) \
|
UNAUTH_CLOSE_DELAY,$(CONFIG_DROPBEAR_UNAUTH_CLOSE_DELAY) \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user