msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
1e5b1e7ede6c8dd372c6d0ffda3cd02a1674edb40d63ce9300eb4eb15a9645b1
CISS.debian.live.builder/upgrades/dropbear/localoptions.h
Marc S. Weidner ebf351fa43
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m7s
Details
V8.13.400.2025.11.08 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-09 16:42:30 +01:00

115 lines
3.5 KiB
C
Raw Blame History

/* # SPDX-Version: 3.0 */
/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */
/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */
/* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
/* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
/* # SPDX-FileType: SOURCE */
/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */
/* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
/* # SPDX-PackageName: CISS.debian.installer */
/* # SPDX-Security-Contact: security@coresecret.eu */
#ifndef DROPBEAR_LOCALOPTIONS_H_
#define DROPBEAR_LOCALOPTIONS_H_
/* Override default port */
#define DROPBEAR_DEFPORT "42137"
/* disable DH-group14 to remove 2048-bit moduli */
#undef DROPBEAR_DH_GROUP14_SHA256
#define DROPBEAR_DH_GROUP14_SHA256 0
/* Disable small code optimization */
#undef DROPBEAR_SMALL_CODE
#define DROPBEAR_SMALL_CODE 0
/* Cipher changes */
#undef DROPBEAR_AES128
#define DROPBEAR_AES128 0
/* replace default MAC-Liste: nur encrypt-teh-MAC Varianten */
#undef DROPBEAR_MAC_ALGS
#define DROPBEAR_MAC_ALGS \
"hmac-sha2-256-etm@openssh.com", \
"hmac-sha2-512-etm@openssh.com"
/* replace default KEX-Liste: nur Curve25519, DH-group16 und die PQ-Hybriden */
#undef DROPBEAR_KEX_ALGS
#define DROPBEAR_KEX_ALGS \
"curve25519-sha256", \
"diffie-hellman-group16-sha512", \
"sntrup761x25519-sha512", \
"mlkem768x25519-sha256"
/* Message of the day disabled */
#undef DO_MOTD
#define DO_MOTD 0
/* Disable password auth (server and client) */
#undef DROPBEAR_SVR_PASSWORD_AUTH
#define DROPBEAR_SVR_PASSWORD_AUTH 0
#undef DROPBEAR_CLI_PASSWORD_AUTH
#define DROPBEAR_CLI_PASSWORD_AUTH 0
/* Adjust unauthenticated client and auth try limits */
#undef MAX_UNAUTH_CLIENTS
#define MAX_UNAUTH_CLIENTS 10
#undef MAX_AUTH_TRIES
#define MAX_AUTH_TRIES 6
/* Disable built-in SFTP server */
#undef DROPBEAR_SFTPSERVER
#define DROPBEAR_SFTPSERVER 0
/* Disable NIST ECDSA host keys */
#undef DROPBEAR_ECDSA
#define DROPBEAR_ECDSA 0
/* Disable NIST ECDH key exchange */
#undef DROPBEAR_ECDH
#define DROPBEAR_ECDH 0
/* Enforce AEAD ciphers only: disable CTR, enable GCM */
#undef DROPBEAR_ENABLE_CTR_MODE
#define DROPBEAR_ENABLE_CTR_MODE 0
#undef DROPBEAR_ENABLE_GCM_MODE
#define DROPBEAR_ENABLE_GCM_MODE 1
/* Prevent fallback to encrypt-and-MAC algorithms */
#undef DROPBEAR_USER_ALGO_LIST
#define DROPBEAR_USER_ALGO_LIST 1
/* Disable client proxy commands to prevent arbitrary command execution */
#undef DROPBEAR_CLI_PROXYCMD
#define DROPBEAR_CLI_PROXYCMD 0
/* Disable netcat mode to avoid forwarding misuse */
#undef DROPBEAR_CLI_NETCAT
#define DROPBEAR_CLI_NETCAT 0
/* Disable agent forwarding to avoid credential relay */
#undef DROPBEAR_SVR_AGENTFWD
#define DROPBEAR_SVR_AGENTFWD 0
#undef DROPBEAR_CLI_AGENTFWD
#define DROPBEAR_CLI_AGENTFWD 0
/* Disable TCP forwarding if not required */
#undef DROPBEAR_SVR_REMOTETCPFWD
#define DROPBEAR_SVR_REMOTETCPFWD 0
#undef DROPBEAR_SVR_LOCALSTREAMFWD
#define DROPBEAR_SVR_LOCALSTREAMFWD 0
#undef DROPBEAR_CLI_LOCALTCPFWD
#define DROPBEAR_CLI_LOCALTCPFWD 0
#undef DROPBEAR_CLI_REMOTETCPFWD
#define DROPBEAR_CLI_REMOTETCPFWD 0
/* Enforce sensible defaults for keepalives and idle timeouts */
#undef DEFAULT_KEEPALIVE
#define DEFAULT_KEEPALIVE 60
#undef DEFAULT_IDLE_TIMEOUT
#define DEFAULT_IDLE_TIMEOUT 300
#endif /* DROPBEAR_LOCALOPTIONS_H_ */
/* vim: set filetype=c ts=2 sw=2 sts=2 et ai tw=100 */
Reference in New Issue View Git Blame Copy Permalink