diff --git a/.pubkey/dropbear-key-2015.asc b/.pubkey/dropbear-key-2015.asc new file mode 100644 index 0000000..2e944e3 --- /dev/null +++ b/.pubkey/dropbear-key-2015.asc @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL +50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH +clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ +oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay +KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp +KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp +SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1 +fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu +8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS +rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd +GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB +tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+ +iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST +FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T +eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/ ++KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM +5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2 +LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT +fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0 +APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae ++vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL +qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH +NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V +K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB +CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB +7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3 +GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM +xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV +i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ +2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f +gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB +cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo +CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm +BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK +lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv +WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4 +Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ +=kT6a +-----END PGP PUBLIC KEY BLOCK----- diff --git a/config/hooks/live/0020_dropbear_build.chroot b/config/hooks/live/0020_dropbear_build.chroot new file mode 100644 index 0000000..1461aa8 --- /dev/null +++ b/config/hooks/live/0020_dropbear_build.chroot @@ -0,0 +1,57 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" + +### Declare Arrays, HashMaps, and Variables. +declare var_dropbear_version="2025.88" +declare var_build_dir="/root/build" +declare var_logfile="${var_build_dir}/_build.log" +tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build" +cp "/root/dropbear/localoptions.h" "${var_build_dir}" +cd "${var_build_dir}" + +### Flag Purpose: +# -fPIE : Generate position-independent executable code +# -pie : Link the executable as PIE (so that ASLR works) +# -static : Fully statically linked against musl +# -s : Strip unnecessary symbols directly during linking +# -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup) + +# shellcheck disable=SC2016,SC2312 +setsid bash -c ' + ### Sterile environment for the build-process. + export -n SHELLOPTS + set +u + unset PATH_SEPARATOR + PATH_SEPARATOR=":" + PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + CC=musl-gcc \ + CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \ + LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \ + ./configure \ + --enable-static \ + --enable-openpty \ + --disable-pam \ + --disable-zlib + + # shellcheck disable=2312 + make -j"$(nproc)" + ' >> "${var_logfile}" 2>&1 + + rm -rf /root/dropbear + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/root/.ciss/alias b/config/includes.chroot/root/.ciss/alias index 8ed4cb6..35aa022 100644 --- a/config/includes.chroot/root/.ciss/alias +++ b/config/includes.chroot/root/.ciss/alias @@ -165,7 +165,7 @@ genstring() { ####################################### scurl() { if [[ $# -ne 2 ]]; then - printf "%s❌ Error: Usage: scurl . %s%s" "${CRED}" "${CRES}" "${NL}" >&2 + printf "%b❌ Error: Usage: scurl . %b%b" "${CRED}" "${CRES}" "${NL}" >&2 return 1 fi declare url="$1" @@ -177,7 +177,7 @@ scurl() { -o "${output_path}" \ "${url}" then - printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2 + printf "%b❌ Error: Download failed for URL: '%s'. %b%b" "${CRED}" "${url}" "${CRES}" "${NL}" >&2 return 2 fi return 0 @@ -199,7 +199,7 @@ scurl() { ####################################### swget() { if [[ $# -ne 2 ]]; then - printf "%s❌ Error: Usage: swget . %s%s" "${CRED}" "${CRES}" "${NL}" >&2 + printf "%b❌ Error: Usage: swget . %b%b" "${CRED}" "${CRES}" "${NL}" >&2 return 1 fi declare url="$1" @@ -212,7 +212,7 @@ swget() { -qO "${output_path}" \ "${url}" then - printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2 + printf "%b❌ Error: Download failed for URL: '%s'. %b%b" "${CRED}" "${url}" "${CRES}" "${NL}" >&2 return 2 fi return 0 @@ -270,7 +270,7 @@ trel() { ####################################### whichpackage() { if ! command -v "$1" >/dev/null 2>&1; then - printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2 + printf '%b❌ Error: Program '%s' not found. %b%b' "${CRED}" "$1" "${CRES}" "${NL}" >&2 exit 1 fi # shellcheck disable=SC2230,SC2312 diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index 611a70b..cf19ff4 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -29,46 +29,37 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" init_primordial() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + declare var_dropbear_version="2025.88" + + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build" + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear" + install -m 0400 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \ + "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" + install -m 0400 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \ + "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h" + + + ### Check for SOPS AGE key integration --------------------------------------------------------------------------------------- - if [[ ! "${VAR_AGE,,}" == "true" ]]; then + if [[ "${VAR_AGE,,}" == "true" ]]; then - if compgen -G "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" > /dev/null; then - - shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" - - fi - - else - - install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age" + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age" install -m 0400 "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age/keys.txt" shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" 2>/dev/null || rm -f "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" fi ### Check for SSH CISS and PhysNet primordial-workflow(tm) integration ------------------------------------------------------- - if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then + if [[ "${VAR_SSHFP,,}" == "true" ]]; then - if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then - - shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* - - fi - - if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then - - shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* - - fi - - else - - install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/" + normalize_ssh_keys_in_dir "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"* - install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh" + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh" install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/" + normalize_ssh_keys_in_dir "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/" shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"* fi @@ -80,4 +71,77 @@ init_primordial() { ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f init_primordial + +####################################### +# Normalize SSH key files: strip CRLF. +# Globals: +# None +# Arguments: +# 1: ssh_host_key or id file +# Returns: +# 0: on success +# 1: on failure +####################################### +normalize_ssh_key_file() { + declare var_key_file="" var_tmp_file="" + var_key_file="$1" + + [[ -f "${var_key_file}" ]] || return 0 + + ### If there is any CR (carriage return), strip it. + if grep -q $'\r' "${var_key_file}"; then + + ### Use a temporary file to avoid in-place corruption- + var_tmp_file="${var_key_file}.noCR.$$" + + ### Remove only '\r', keep everything else as-is. + tr -d '\r' < "${var_key_file}" > "${var_tmp_file}" || { + echo "ERROR: Failed to normalize CRLF in ${var_key_file}" >&2 + rm -f "${var_tmp_file}" + return 1 + } + + mv "${var_tmp_file}" "${var_key_file}" || { + echo "ERROR: Failed to replace normalized file ${var_key_file}" >&2 + rm -f "${var_tmp_file}" + return 1 + } + fi + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f normalize_ssh_key_file + +####################################### +# Normalize SSH key files in dir. +# Globals: +# None +# Arguments: +# 1: directory +# Returns: +# 0: on success +# 1: on failure +####################################### +normalize_ssh_keys_in_dir() { + declare var_key_dir="" var_key_file="" + var_key_dir="$1" + + [[ -d "${var_key_dir}" ]] || return 0 + + ### Cover both root identity keys and host keys. + for var_key_file in "${var_key_dir}"/id_* "${var_key_dir}"/ssh_host_*; do + + [[ -e "${var_key_file}" ]] || continue + + normalize_ssh_key_file "${var_key_file}" || return 1 + + done + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f normalize_ssh_keys_in_dir # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/upgrades/dropbear/SHA512SUM.asc b/upgrades/dropbear/SHA512SUM.asc new file mode 100644 index 0000000..17ccf8a --- /dev/null +++ b/upgrades/dropbear/SHA512SUM.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265 CHANGES +738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d dropbear-2025.87.tar.bz2 +af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be dropbear-2025.87.tar.bz2.asc +783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 dropbear-2025.88.tar.bz2 +fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411 dropbear-2025.88.tar.bz2.asc +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc +Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f +hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL +IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL +Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h +HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL +cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W +f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH +HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i +AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS +QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z +4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI= +=/DnI +-----END PGP SIGNATURE----- diff --git a/upgrades/dropbear/dropbear-2025.88.tar.bz2 b/upgrades/dropbear/dropbear-2025.88.tar.bz2 new file mode 100644 index 0000000..2668ea1 Binary files /dev/null and b/upgrades/dropbear/dropbear-2025.88.tar.bz2 differ diff --git a/upgrades/dropbear/dropbear-2025.88.tar.bz2.asc b/upgrades/dropbear/dropbear-2025.88.tar.bz2.asc new file mode 100644 index 0000000..f6709a3 --- /dev/null +++ b/upgrades/dropbear/dropbear-2025.88.tar.bz2.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc +Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa +W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf +P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8 +Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd +SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w +Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4 +dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1 +Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5 +kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS +Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex +93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo= +=uS3y +-----END PGP SIGNATURE----- diff --git a/upgrades/dropbear/localoptions.h b/upgrades/dropbear/localoptions.h new file mode 100644 index 0000000..6b6a9a0 --- /dev/null +++ b/upgrades/dropbear/localoptions.h @@ -0,0 +1,114 @@ +/* # SPDX-Version: 3.0 */ +/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; */ +/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */ +/* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */ +/* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; */ +/* # SPDX-FileType: SOURCE */ +/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */ +/* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */ +/* # SPDX-PackageName: CISS.debian.installer */ +/* # SPDX-Security-Contact: security@coresecret.eu */ + +#ifndef DROPBEAR_LOCALOPTIONS_H_ +#define DROPBEAR_LOCALOPTIONS_H_ + +/* Override default port */ +#define DROPBEAR_DEFPORT "42137" + +/* disable DH-group14 to remove 2048-bit moduli */ +#undef DROPBEAR_DH_GROUP14_SHA256 +#define DROPBEAR_DH_GROUP14_SHA256 0 + +/* Disable small code optimization */ +#undef DROPBEAR_SMALL_CODE +#define DROPBEAR_SMALL_CODE 0 + +/* Cipher changes */ +#undef DROPBEAR_AES128 +#define DROPBEAR_AES128 0 + +/* replace default MAC-Liste: nur encrypt-teh-MAC Varianten */ +#undef DROPBEAR_MAC_ALGS +#define DROPBEAR_MAC_ALGS \ + "hmac-sha2-256-etm@openssh.com", \ + "hmac-sha2-512-etm@openssh.com" + +/* replace default KEX-Liste: nur Curve25519, DH-group16 und die PQ-Hybriden */ +#undef DROPBEAR_KEX_ALGS +#define DROPBEAR_KEX_ALGS \ + "curve25519-sha256", \ + "diffie-hellman-group16-sha512", \ + "sntrup761x25519-sha512", \ + "mlkem768x25519-sha256" + +/* Message of the day disabled */ +#undef DO_MOTD +#define DO_MOTD 0 + +/* Disable password auth (server and client) */ +#undef DROPBEAR_SVR_PASSWORD_AUTH +#define DROPBEAR_SVR_PASSWORD_AUTH 0 +#undef DROPBEAR_CLI_PASSWORD_AUTH +#define DROPBEAR_CLI_PASSWORD_AUTH 0 + +/* Adjust unauthenticated client and auth try limits */ +#undef MAX_UNAUTH_CLIENTS +#define MAX_UNAUTH_CLIENTS 10 +#undef MAX_AUTH_TRIES +#define MAX_AUTH_TRIES 6 + +/* Disable built-in SFTP server */ +#undef DROPBEAR_SFTPSERVER +#define DROPBEAR_SFTPSERVER 0 + +/* Disable NIST ECDSA host keys */ +#undef DROPBEAR_ECDSA +#define DROPBEAR_ECDSA 0 + +/* Disable NIST ECDH key exchange */ +#undef DROPBEAR_ECDH +#define DROPBEAR_ECDH 0 + +/* Enforce AEAD ciphers only: disable CTR, enable GCM */ +#undef DROPBEAR_ENABLE_CTR_MODE +#define DROPBEAR_ENABLE_CTR_MODE 0 +#undef DROPBEAR_ENABLE_GCM_MODE +#define DROPBEAR_ENABLE_GCM_MODE 1 + +/* Prevent fallback to encrypt-and-MAC algorithms */ +#undef DROPBEAR_USER_ALGO_LIST +#define DROPBEAR_USER_ALGO_LIST 1 + +/* Disable client proxy commands to prevent arbitrary command execution */ +#undef DROPBEAR_CLI_PROXYCMD +#define DROPBEAR_CLI_PROXYCMD 0 + +/* Disable netcat mode to avoid forwarding misuse */ +#undef DROPBEAR_CLI_NETCAT +#define DROPBEAR_CLI_NETCAT 0 + +/* Disable agent forwarding to avoid credential relay */ +#undef DROPBEAR_SVR_AGENTFWD +#define DROPBEAR_SVR_AGENTFWD 0 +#undef DROPBEAR_CLI_AGENTFWD +#define DROPBEAR_CLI_AGENTFWD 0 + +/* Disable TCP forwarding if not required */ +#undef DROPBEAR_SVR_REMOTETCPFWD +#define DROPBEAR_SVR_REMOTETCPFWD 0 +#undef DROPBEAR_SVR_LOCALSTREAMFWD +#define DROPBEAR_SVR_LOCALSTREAMFWD 0 +#undef DROPBEAR_CLI_LOCALTCPFWD +#define DROPBEAR_CLI_LOCALTCPFWD 0 +#undef DROPBEAR_CLI_REMOTETCPFWD +#define DROPBEAR_CLI_REMOTETCPFWD 0 + +/* Enforce sensible defaults for keepalives and idle timeouts */ +#undef DEFAULT_KEEPALIVE +#define DEFAULT_KEEPALIVE 60 +#undef DEFAULT_IDLE_TIMEOUT +#define DEFAULT_IDLE_TIMEOUT 300 + +#endif /* DROPBEAR_LOCALOPTIONS_H_ */ + +/* vim: set filetype=c ts=2 sw=2 sts=2 et ai tw=100 */