/* # SPDX-Version: 3.0 */ /* # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; */ /* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git */ /* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */ /* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; */ /* # SPDX-FileType: SOURCE */ /* # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 */ /* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */ /* # SPDX-PackageName: CISS.debian.live.builder */ /* # SPDX-Security-Contact: security@coresecret.eu */ #ifndef DROPBEAR_LOCALOPTIONS_H_ #define DROPBEAR_LOCALOPTIONS_H_ /* Override default port */ #define DROPBEAR_DEFPORT "42137" /* disable DH-group14 to remove 2048-bit moduli */ #undef DROPBEAR_DH_GROUP14_SHA256 #define DROPBEAR_DH_GROUP14_SHA256 0 /* Disable small code optimization */ #undef DROPBEAR_SMALL_CODE #define DROPBEAR_SMALL_CODE 0 /* Cipher changes */ #undef DROPBEAR_AES128 #define DROPBEAR_AES128 0 /* replace default MAC-Liste: nur encrypt-teh-MAC Varianten */ #undef DROPBEAR_MAC_ALGS #define DROPBEAR_MAC_ALGS \ "hmac-sha2-256-etm@openssh.com", \ "hmac-sha2-512-etm@openssh.com" /* replace default KEX-Liste: nur Curve25519, DH-group16 und die PQ-Hybriden */ #undef DROPBEAR_KEX_ALGS #define DROPBEAR_KEX_ALGS \ "curve25519-sha256", \ "diffie-hellman-group16-sha512", \ "sntrup761x25519-sha512", \ "mlkem768x25519-sha256" /* Message of the day disabled */ #undef DO_MOTD #define DO_MOTD 0 /* Disable password auth (server and client) */ #undef DROPBEAR_SVR_PASSWORD_AUTH #define DROPBEAR_SVR_PASSWORD_AUTH 0 #undef DROPBEAR_CLI_PASSWORD_AUTH #define DROPBEAR_CLI_PASSWORD_AUTH 0 /* Adjust unauthenticated client and auth try limits */ #undef MAX_UNAUTH_CLIENTS #define MAX_UNAUTH_CLIENTS 10 #undef MAX_AUTH_TRIES #define MAX_AUTH_TRIES 6 /* Disable built-in SFTP server */ #undef DROPBEAR_SFTPSERVER #define DROPBEAR_SFTPSERVER 0 /* Disable NIST ECDSA host keys */ #undef DROPBEAR_ECDSA #define DROPBEAR_ECDSA 0 /* Disable NIST ECDH key exchange */ #undef DROPBEAR_ECDH #define DROPBEAR_ECDH 0 /* Enforce AEAD ciphers only: disable CTR, enable GCM */ #undef DROPBEAR_ENABLE_CTR_MODE #define DROPBEAR_ENABLE_CTR_MODE 0 #undef DROPBEAR_ENABLE_GCM_MODE #define DROPBEAR_ENABLE_GCM_MODE 1 /* Prevent fallback to encrypt-and-MAC algorithms */ #undef DROPBEAR_USER_ALGO_LIST #define DROPBEAR_USER_ALGO_LIST 1 /* Disable client proxy commands to prevent arbitrary command execution */ #undef DROPBEAR_CLI_PROXYCMD #define DROPBEAR_CLI_PROXYCMD 0 /* Disable netcat mode to avoid forwarding misuse */ #undef DROPBEAR_CLI_NETCAT #define DROPBEAR_CLI_NETCAT 0 /* Disable agent forwarding to avoid credential relay */ #undef DROPBEAR_SVR_AGENTFWD #define DROPBEAR_SVR_AGENTFWD 0 #undef DROPBEAR_CLI_AGENTFWD #define DROPBEAR_CLI_AGENTFWD 0 /* Disable TCP forwarding if not required */ #undef DROPBEAR_SVR_REMOTETCPFWD #define DROPBEAR_SVR_REMOTETCPFWD 0 #undef DROPBEAR_SVR_LOCALSTREAMFWD #define DROPBEAR_SVR_LOCALSTREAMFWD 0 #undef DROPBEAR_CLI_LOCALTCPFWD #define DROPBEAR_CLI_LOCALTCPFWD 0 #undef DROPBEAR_CLI_REMOTETCPFWD #define DROPBEAR_CLI_REMOTETCPFWD 0 /* Enforce sensible defaults for keepalives and idle timeouts */ #undef DEFAULT_KEEPALIVE #define DEFAULT_KEEPALIVE 60 #undef DEFAULT_IDLE_TIMEOUT #define DEFAULT_IDLE_TIMEOUT 300 #endif /* DROPBEAR_LOCALOPTIONS_H_ */ /* vim: set filetype=c ts=2 sw=2 sts=2 et ai tw=100 */