V8.13.400.2025.11.08

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.pubkey/dropbear-key-2015.asc

@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
+50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
+clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
+oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
+KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
+KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
+SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
+fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
+8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
+rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
+GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
+tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
+iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
+FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
+eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
++KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
+5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
+LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
+fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
+APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
++vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
+qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
+NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
+K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
+CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
+7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
+GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
+xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
+i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
+2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
+gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
+cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
+CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
+BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
+lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
+WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
+Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
+=kT6a
+-----END PGP PUBLIC KEY BLOCK-----

config/hooks/live/0020_dropbear_build.chroot

@@ -0,0 +1,57 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_version="2025.88"
+declare var_build_dir="/root/build"
+declare var_logfile="${var_build_dir}/_build.log"
+tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+cp "/root/dropbear/localoptions.h" "${var_build_dir}"
+cd "${var_build_dir}"
+
+### Flag Purpose:
+#  -fPIE              : Generate position-independent executable code
+#  -pie               : Link the executable as PIE (so that ASLR works)
+#  -static            : Fully statically linked against musl
+#  -s                 : Strip unnecessary symbols directly during linking
+#  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
+
+# shellcheck disable=SC2016,SC2312
+setsid bash -c '
+    ### Sterile environment for the build-process.
+    export -n SHELLOPTS
+    set +u
+    unset PATH_SEPARATOR
+    PATH_SEPARATOR=":"
+    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    CC=musl-gcc \
+      CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
+      LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
+      ./configure \
+      --enable-static \
+      --enable-openpty \
+      --disable-pam \
+      --disable-zlib
+
+    # shellcheck disable=2312
+    make -j"$(nproc)"
+  ' >> "${var_logfile}" 2>&1
+
+  rm -rf /root/dropbear
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/root/.ciss/alias

@@ -165,7 +165,7 @@ genstring() {
 #######################################
 scurl() {
   if [[ $# -ne 2 ]]; then
-    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
+    printf "%b❌ Error: Usage: scurl <URL> <path/to/file>. %b%b" "${CRED}" "${CRES}" "${NL}" >&2
     return 1
   fi
   declare url="$1"
@@ -177,7 +177,7 @@ scurl() {
             -o "${output_path}" \
             "${url}"
   then
-    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
+    printf "%b❌ Error: Download failed for URL: '%s'. %b%b" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
   fi
   return 0
@@ -199,7 +199,7 @@ scurl() {
 #######################################
 swget() {
   if [[ $# -ne 2 ]]; then
-    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
+    printf "%b❌ Error: Usage: swget <URL> <path/to/file>. %b%b" "${CRED}" "${CRES}" "${NL}" >&2
     return 1
   fi
   declare url="$1"
@@ -212,7 +212,7 @@ swget() {
             -qO "${output_path}" \
             "${url}"
   then
-    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
+    printf "%b❌ Error: Download failed for URL: '%s'. %b%b" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
   fi
   return 0
@@ -270,7 +270,7 @@ trel() {
 #######################################
 whichpackage() {
   if ! command -v "$1" >/dev/null 2>&1; then
-    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
+    printf '%b❌ Error: Program '%s' not found. %b%b' "${CRED}" "$1" "${CRES}" "${NL}" >&2
     exit 1
   fi
   # shellcheck disable=SC2230,SC2312

lib/lib_primordial.sh

@@ -29,46 +29,37 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 init_primordial() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
+  declare     var_dropbear_version="2025.88"
+
+  install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
+  install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
+  install    -m 0400 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
+    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+  install    -m 0400 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
+    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
+
+
+
   ### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
-  if [[ ! "${VAR_AGE,,}" == "true" ]]; then
+  if [[ "${VAR_AGE,,}" == "true" ]]; then
 
-    if compgen -G "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" > /dev/null; then
+    install -d -m 0700                                 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age"
-
-      shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
-
-    fi
-
-  else
-
-    install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age"
     install -m 0400 "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age/keys.txt"
     shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" 2>/dev/null || rm -f "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
 
   fi
 
   ### Check for SSH CISS and PhysNet primordial-workflow(tm) integration -------------------------------------------------------
-  if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
+  if [[ "${VAR_SSHFP,,}" == "true" ]]; then
 
-    if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
+    install -d -m 0700                      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
-
-      shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"*
-
-    fi
-
-    if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then
-
-      shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"*
-
-    fi
-
-  else
-
-    install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
     install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
+    normalize_ssh_keys_in_dir               "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
     shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"*
 
-    install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
+    install -d -m 0700                             "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
     install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
+    normalize_ssh_keys_in_dir                      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
     shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"*
 
   fi
@@ -80,4 +71,77 @@ init_primordial() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f init_primordial
+
+#######################################
+# Normalize SSH key files: strip CRLF.
+# Globals:
+#   None
+# Arguments:
+#   1: ssh_host_key or id file
+# Returns:
+#   0: on success
+#   1: on failure
+#######################################
+normalize_ssh_key_file() {
+  declare var_key_file="" var_tmp_file=""
+  var_key_file="$1"
+
+  [[ -f "${var_key_file}" ]] || return 0
+
+  ### If there is any CR (carriage return), strip it.
+  if grep -q $'\r' "${var_key_file}"; then
+
+    ### Use a temporary file to avoid in-place corruption-
+    var_tmp_file="${var_key_file}.noCR.$$"
+
+    ### Remove only '\r', keep everything else as-is.
+    tr -d '\r' < "${var_key_file}" > "${var_tmp_file}" || {
+      echo "ERROR: Failed to normalize CRLF in ${var_key_file}" >&2
+      rm -f "${var_tmp_file}"
+      return 1
+    }
+
+    mv "${var_tmp_file}" "${var_key_file}" || {
+      echo "ERROR: Failed to replace normalized file ${var_key_file}" >&2
+      rm -f "${var_tmp_file}"
+      return 1
+    }
+  fi
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f normalize_ssh_key_file
+
+#######################################
+# Normalize SSH key files in dir.
+# Globals:
+#   None
+# Arguments:
+#   1: directory
+# Returns:
+#   0: on success
+#   1: on failure
+#######################################
+normalize_ssh_keys_in_dir() {
+  declare var_key_dir="" var_key_file=""
+  var_key_dir="$1"
+
+  [[ -d "${var_key_dir}" ]] || return 0
+
+  ### Cover both root identity keys and host keys.
+  for var_key_file in "${var_key_dir}"/id_* "${var_key_dir}"/ssh_host_*; do
+
+    [[ -e "${var_key_file}" ]] || continue
+
+    normalize_ssh_key_file "${var_key_file}" || return 1
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f normalize_ssh_keys_in_dir
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

upgrades/dropbear/SHA512SUM.asc

@@ -0,0 +1,24 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265  CHANGES
+738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d  dropbear-2025.87.tar.bz2
+af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be  dropbear-2025.87.tar.bz2.asc
+783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4  dropbear-2025.88.tar.bz2
+fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411  dropbear-2025.88.tar.bz2.asc
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
+Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
+hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
+IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
+Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
+HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
+cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
+f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
+HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
+AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
+QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
+4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
+=/DnI
+-----END PGP SIGNATURE-----

upgrades/dropbear/dropbear-2025.88.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
+Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
+W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
+P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
+Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
+SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
+Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
+dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
+Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
+kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
+Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
+93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
+=uS3y
+-----END PGP SIGNATURE-----

upgrades/dropbear/localoptions.h

@@ -0,0 +1,114 @@
+/* # SPDX-Version: 3.0 */
+/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */
+/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */
+/* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
+/* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
+/* # SPDX-FileType: SOURCE */
+/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */
+/* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
+/* # SPDX-PackageName: CISS.debian.installer */
+/* # SPDX-Security-Contact: security@coresecret.eu */
+
+#ifndef DROPBEAR_LOCALOPTIONS_H_
+#define DROPBEAR_LOCALOPTIONS_H_
+
+/* Override default port */
+#define DROPBEAR_DEFPORT "42137"
+
+/* disable DH-group14 to remove 2048-bit moduli */
+#undef DROPBEAR_DH_GROUP14_SHA256
+#define DROPBEAR_DH_GROUP14_SHA256 0
+
+/* Disable small code optimization */
+#undef DROPBEAR_SMALL_CODE
+#define DROPBEAR_SMALL_CODE 0
+
+/* Cipher changes */
+#undef DROPBEAR_AES128
+#define DROPBEAR_AES128 0
+
+/* replace default MAC-Liste: nur encrypt-teh-MAC Varianten */
+#undef DROPBEAR_MAC_ALGS
+#define DROPBEAR_MAC_ALGS \
+    "hmac-sha2-256-etm@openssh.com", \
+    "hmac-sha2-512-etm@openssh.com"
+
+/* replace default KEX-Liste: nur Curve25519, DH-group16 und die PQ-Hybriden */
+#undef DROPBEAR_KEX_ALGS
+#define DROPBEAR_KEX_ALGS \
+    "curve25519-sha256", \
+    "diffie-hellman-group16-sha512", \
+    "sntrup761x25519-sha512", \
+    "mlkem768x25519-sha256"
+
+/* Message of the day disabled */
+#undef DO_MOTD
+#define DO_MOTD 0
+
+/* Disable password auth (server and client) */
+#undef DROPBEAR_SVR_PASSWORD_AUTH
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
+#undef DROPBEAR_CLI_PASSWORD_AUTH
+#define DROPBEAR_CLI_PASSWORD_AUTH 0
+
+/* Adjust unauthenticated client and auth try limits */
+#undef MAX_UNAUTH_CLIENTS
+#define MAX_UNAUTH_CLIENTS 10
+#undef MAX_AUTH_TRIES
+#define MAX_AUTH_TRIES 6
+
+/* Disable built-in SFTP server */
+#undef DROPBEAR_SFTPSERVER
+#define DROPBEAR_SFTPSERVER 0
+
+/* Disable NIST ECDSA host keys */
+#undef DROPBEAR_ECDSA
+#define DROPBEAR_ECDSA 0
+
+/* Disable NIST ECDH key exchange */
+#undef DROPBEAR_ECDH
+#define DROPBEAR_ECDH 0
+
+/* Enforce AEAD ciphers only: disable CTR, enable GCM */
+#undef DROPBEAR_ENABLE_CTR_MODE
+#define DROPBEAR_ENABLE_CTR_MODE 0
+#undef DROPBEAR_ENABLE_GCM_MODE
+#define DROPBEAR_ENABLE_GCM_MODE 1
+
+/* Prevent fallback to encrypt-and-MAC algorithms */
+#undef DROPBEAR_USER_ALGO_LIST
+#define DROPBEAR_USER_ALGO_LIST 1
+
+/* Disable client proxy commands to prevent arbitrary command execution */
+#undef DROPBEAR_CLI_PROXYCMD
+#define DROPBEAR_CLI_PROXYCMD 0
+
+/* Disable netcat mode to avoid forwarding misuse */
+#undef DROPBEAR_CLI_NETCAT
+#define DROPBEAR_CLI_NETCAT 0
+
+/* Disable agent forwarding to avoid credential relay */
+#undef DROPBEAR_SVR_AGENTFWD
+#define DROPBEAR_SVR_AGENTFWD 0
+#undef DROPBEAR_CLI_AGENTFWD
+#define DROPBEAR_CLI_AGENTFWD 0
+
+/* Disable TCP forwarding if not required */
+#undef DROPBEAR_SVR_REMOTETCPFWD
+#define DROPBEAR_SVR_REMOTETCPFWD 0
+#undef DROPBEAR_SVR_LOCALSTREAMFWD
+#define DROPBEAR_SVR_LOCALSTREAMFWD 0
+#undef DROPBEAR_CLI_LOCALTCPFWD
+#define DROPBEAR_CLI_LOCALTCPFWD 0
+#undef DROPBEAR_CLI_REMOTETCPFWD
+#define DROPBEAR_CLI_REMOTETCPFWD 0
+
+/* Enforce sensible defaults for keepalives and idle timeouts */
+#undef DEFAULT_KEEPALIVE
+#define DEFAULT_KEEPALIVE 60
+#undef DEFAULT_IDLE_TIMEOUT
+#define DEFAULT_IDLE_TIMEOUT 300
+
+#endif /* DROPBEAR_LOCALOPTIONS_H_ */
+
+/* vim: set filetype=c ts=2 sw=2 sts=2 et ai tw=100 */