msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.400.2025.11.08
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m7s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-09 16:42:30 +01:00
parent ad2456eb66
commit ebf351fa43
8 changed files with 348 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
.pubkey/dropbear-key-2015.asc Normal file
View File

@@ -0,0 +1,41 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
+KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
+vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
=kT6a
-----END PGP PUBLIC KEY BLOCK-----

57
config/hooks/live/0020_dropbear_build.chroot Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
### Declare Arrays, HashMaps, and Variables.
declare var_dropbear_version="2025.88"
declare var_build_dir="/root/build"
declare var_logfile="${var_build_dir}/_build.log"
tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
cp "/root/dropbear/localoptions.h" "${var_build_dir}"
cd "${var_build_dir}"
### Flag Purpose:
# -fPIE : Generate position-independent executable code
# -pie : Link the executable as PIE (so that ASLR works)
# -static : Fully statically linked against musl
# -s : Strip unnecessary symbols directly during linking
# -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
# shellcheck disable=SC2016,SC2312
setsid bash -c '
### Sterile environment for the build-process.
export -n SHELLOPTS
set +u
unset PATH_SEPARATOR
PATH_SEPARATOR=":"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
CC=musl-gcc \
CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
./configure \
--enable-static \
--enable-openpty \
--disable-pam \
--disable-zlib
# shellcheck disable=2312
make -j"$(nproc)"
' >> "${var_logfile}" 2>&1
rm -rf /root/dropbear
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
config/includes.chroot/root/.ciss/alias
View File

@@ -165,7 +165,7 @@ genstring() {
#######################################
scurl() {
if [[ $# -ne 2 ]]; then
printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
printf "%b❌ Error: Usage: scurl <URL> <path/to/file>. %b%b" "${CRED}" "${CRES}" "${NL}" >&2
return 1
fi
declare url="$1"
@@ -177,7 +177,7 @@ scurl() {
-o "${output_path}" \
"${url}"
then
printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
printf "%b❌ Error: Download failed for URL: '%s'. %b%b" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
return 2
fi
return 0
@@ -199,7 +199,7 @@ scurl() {
#######################################
swget() {
if [[ $# -ne 2 ]]; then
printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
printf "%b❌ Error: Usage: swget <URL> <path/to/file>. %b%b" "${CRED}" "${CRES}" "${NL}" >&2
return 1
fi
declare url="$1"
@@ -212,7 +212,7 @@ swget() {
-qO "${output_path}" \
"${url}"
then
printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
printf "%b❌ Error: Download failed for URL: '%s'. %b%b" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
return 2
fi
return 0
@@ -270,7 +270,7 @@ trel() {
#######################################
whichpackage() {
if ! command -v "$1" >/dev/null 2>&1; then
printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
printf '%b❌ Error: Program '%s' not found. %b%b' "${CRED}" "$1" "${CRES}" "${NL}" >&2
exit 1
fi
# shellcheck disable=SC2230,SC2312

118
lib/lib_primordial.sh
View File

@@ -29,46 +29,37 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare var_dropbear_version="2025.88"
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
install -m 0400 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
install -m 0400 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
if [[ ! "${VAR_AGE,,}" == "true" ]]; then
if [[ "${VAR_AGE,,}" == "true" ]]; then
if compgen -G "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
fi
else
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age"
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age"
install -m 0400 "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age/keys.txt"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" 2>/dev/null || rm -f "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
fi
### Check for SSH CISS and PhysNet primordial-workflow(tm) integration -------------------------------------------------------
if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
if [[ "${VAR_SSHFP,,}" == "true" ]]; then
if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"*
fi
if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"*
fi
else
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
normalize_ssh_keys_in_dir "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"*
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
normalize_ssh_keys_in_dir "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"*
fi
@@ -80,4 +71,77 @@ init_primordial() {
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f init_primordial
#######################################
# Normalize SSH key files: strip CRLF.
# Globals:
# None
# Arguments:
# 1: ssh_host_key or id file
# Returns:
# 0: on success
# 1: on failure
#######################################
normalize_ssh_key_file() {
declare var_key_file="" var_tmp_file=""
var_key_file="$1"
[[ -f "${var_key_file}" ]] || return 0
### If there is any CR (carriage return), strip it.
if grep -q $'\r' "${var_key_file}"; then
### Use a temporary file to avoid in-place corruption-
var_tmp_file="${var_key_file}.noCR.$$"
### Remove only '\r', keep everything else as-is.
tr -d '\r' < "${var_key_file}" > "${var_tmp_file}" || {
echo "ERROR: Failed to normalize CRLF in ${var_key_file}" >&2
rm -f "${var_tmp_file}"
return 1
}
mv "${var_tmp_file}" "${var_key_file}" || {
echo "ERROR: Failed to replace normalized file ${var_key_file}" >&2
rm -f "${var_tmp_file}"
return 1
}
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f normalize_ssh_key_file
#######################################
# Normalize SSH key files in dir.
# Globals:
# None
# Arguments:
# 1: directory
# Returns:
# 0: on success
# 1: on failure
#######################################
normalize_ssh_keys_in_dir() {
declare var_key_dir="" var_key_file=""
var_key_dir="$1"
[[ -d "${var_key_dir}" ]] || return 0
### Cover both root identity keys and host keys.
for var_key_file in "${var_key_dir}"/id_* "${var_key_dir}"/ssh_host_*; do
[[ -e "${var_key_file}" ]] || continue
normalize_ssh_key_file "${var_key_file}" || return 1
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f normalize_ssh_keys_in_dir
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
upgrades/dropbear/SHA512SUM.asc Normal file
View File

@@ -0,0 +1,24 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265 CHANGES
738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d dropbear-2025.87.tar.bz2
af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be dropbear-2025.87.tar.bz2.asc
783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 dropbear-2025.88.tar.bz2
fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411 dropbear-2025.88.tar.bz2.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
=/DnI
-----END PGP SIGNATURE-----

BIN
upgrades/dropbear/dropbear-2025.88.tar.bz2 Normal file
View File

Binary file not shown.

16
upgrades/dropbear/dropbear-2025.88.tar.bz2.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
=uS3y
-----END PGP SIGNATURE-----

114
upgrades/dropbear/localoptions.h Normal file
View File

@@ -0,0 +1,114 @@
/* # SPDX-Version: 3.0 */
/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */
/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */
/* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
/* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
/* # SPDX-FileType: SOURCE */
/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */
/* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
/* # SPDX-PackageName: CISS.debian.installer */
/* # SPDX-Security-Contact: security@coresecret.eu */
#ifndef DROPBEAR_LOCALOPTIONS_H_
#define DROPBEAR_LOCALOPTIONS_H_
/* Override default port */
#define DROPBEAR_DEFPORT "42137"
/* disable DH-group14 to remove 2048-bit moduli */
#undef DROPBEAR_DH_GROUP14_SHA256
#define DROPBEAR_DH_GROUP14_SHA256 0
/* Disable small code optimization */
#undef DROPBEAR_SMALL_CODE
#define DROPBEAR_SMALL_CODE 0
/* Cipher changes */
#undef DROPBEAR_AES128
#define DROPBEAR_AES128 0
/* replace default MAC-Liste: nur encrypt-teh-MAC Varianten */
#undef DROPBEAR_MAC_ALGS
#define DROPBEAR_MAC_ALGS \
"hmac-sha2-256-etm@openssh.com", \
"hmac-sha2-512-etm@openssh.com"
/* replace default KEX-Liste: nur Curve25519, DH-group16 und die PQ-Hybriden */
#undef DROPBEAR_KEX_ALGS
#define DROPBEAR_KEX_ALGS \
"curve25519-sha256", \
"diffie-hellman-group16-sha512", \
"sntrup761x25519-sha512", \
"mlkem768x25519-sha256"
/* Message of the day disabled */
#undef DO_MOTD
#define DO_MOTD 0
/* Disable password auth (server and client) */
#undef DROPBEAR_SVR_PASSWORD_AUTH
#define DROPBEAR_SVR_PASSWORD_AUTH 0
#undef DROPBEAR_CLI_PASSWORD_AUTH
#define DROPBEAR_CLI_PASSWORD_AUTH 0
/* Adjust unauthenticated client and auth try limits */
#undef MAX_UNAUTH_CLIENTS
#define MAX_UNAUTH_CLIENTS 10
#undef MAX_AUTH_TRIES
#define MAX_AUTH_TRIES 6
/* Disable built-in SFTP server */
#undef DROPBEAR_SFTPSERVER
#define DROPBEAR_SFTPSERVER 0
/* Disable NIST ECDSA host keys */
#undef DROPBEAR_ECDSA
#define DROPBEAR_ECDSA 0
/* Disable NIST ECDH key exchange */
#undef DROPBEAR_ECDH
#define DROPBEAR_ECDH 0
/* Enforce AEAD ciphers only: disable CTR, enable GCM */
#undef DROPBEAR_ENABLE_CTR_MODE
#define DROPBEAR_ENABLE_CTR_MODE 0
#undef DROPBEAR_ENABLE_GCM_MODE
#define DROPBEAR_ENABLE_GCM_MODE 1
/* Prevent fallback to encrypt-and-MAC algorithms */
#undef DROPBEAR_USER_ALGO_LIST
#define DROPBEAR_USER_ALGO_LIST 1
/* Disable client proxy commands to prevent arbitrary command execution */
#undef DROPBEAR_CLI_PROXYCMD
#define DROPBEAR_CLI_PROXYCMD 0
/* Disable netcat mode to avoid forwarding misuse */
#undef DROPBEAR_CLI_NETCAT
#define DROPBEAR_CLI_NETCAT 0
/* Disable agent forwarding to avoid credential relay */
#undef DROPBEAR_SVR_AGENTFWD
#define DROPBEAR_SVR_AGENTFWD 0
#undef DROPBEAR_CLI_AGENTFWD
#define DROPBEAR_CLI_AGENTFWD 0
/* Disable TCP forwarding if not required */
#undef DROPBEAR_SVR_REMOTETCPFWD
#define DROPBEAR_SVR_REMOTETCPFWD 0
#undef DROPBEAR_SVR_LOCALSTREAMFWD
#define DROPBEAR_SVR_LOCALSTREAMFWD 0
#undef DROPBEAR_CLI_LOCALTCPFWD
#define DROPBEAR_CLI_LOCALTCPFWD 0
#undef DROPBEAR_CLI_REMOTETCPFWD
#define DROPBEAR_CLI_REMOTETCPFWD 0
/* Enforce sensible defaults for keepalives and idle timeouts */
#undef DEFAULT_KEEPALIVE
#define DEFAULT_KEEPALIVE 60
#undef DEFAULT_IDLE_TIMEOUT
#define DEFAULT_IDLE_TIMEOUT 300
#endif /* DROPBEAR_LOCALOPTIONS_H_ */
/* vim: set filetype=c ts=2 sw=2 sts=2 et ai tw=100 */