config DROPBEAR_CURVE25519
bool "Curve25519 support"
- default n
+ default y
help
This enables the following key exchange algorithm:
curve25519-sha256@libssh.org
- Increases binary size by about 13 kB uncompressed (MIPS).
+ Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
- default n
help
- Enables elliptic curve cryptography (ECC) support in key exchange and public key
- authentication.
+ Enables basic support for elliptic curve cryptography (ECC)
+ in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256
+
+ Public key algorithms:
+ ecdsa-sha2-nistp256
+
+ Increases binary size by about 24 kB (MIPS).
+
+ Note: select DROPBEAR_ECC_FULL if full ECC support is required.
+
+config DROPBEAR_ECC_FULL
+ bool "Elliptic curve cryptography (ECC), full support"
+ depends on DROPBEAR_ECC
+ help
+ Enables full support for elliptic curve cryptography (ECC)
+ in key exchange and public key authentication.
+
+ Key exchange algorithms:
+ ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Public key algorithms:
- ecdsa-sha2-nistp256
+ ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
- Does not generate ECC host keys by default (ECC key exchange will not be used,
- only ECC public key auth).
+ (*) - basic ECC support; provided by DROPBEAR_ECC.
+
+ Increases binary size by about 4 kB (MIPS).
+
+config DROPBEAR_ED25519
+ bool "Ed25519 support"
+ default y if !SMALL_FLASH
+ help
+ This enables the following public key algorithm:
+ ssh-ed25519
+
+ Increases binary size by about 12 kB (MIPS).
+
+config DROPBEAR_CHACHA20POLY1305
+ bool "Chacha20-Poly1305 support"
+ default y
+ help
+ This enables the following authenticated encryption cipher:
+ chacha20-poly1305@openssh.com
+
+ Increases binary size by about 4 kB (MIPS).
+
+config DROPBEAR_U2F
+ bool "U2F/FIDO support"
+ default y
+ help
+ This option itself doesn't enable any support for U2F/FIDO
+ but subordinate options do:
+
+ - DROPBEAR_ECDSA_SK - ecdsa-sk keys support
+ depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)")
+ - DROPBEAR_ED25519_SK - ed25519-sk keys support
+ depends on DROPBEAR_ED25519 ("Ed25519 support")
+
+config DROPBEAR_ECDSA_SK
+ bool "ECDSA-SK support"
+ default y
+ depends on DROPBEAR_U2F && DROPBEAR_ECC
+ help
+ This enables the following public key algorithm:
+ sk-ecdsa-sha2-nistp256@openssh.com
+
+config DROPBEAR_ED25519_SK
+ bool "Ed25519-SK support"
+ default y
+ depends on DROPBEAR_U2F && DROPBEAR_ED25519
+ help
+ This enables the following public key algorithm:
+ sk-ssh-ed25519@openssh.com
+
+config DROPBEAR_ZLIB
+ bool "Enable compression"
+ help
+ Enables compression using shared zlib library.
+
+ Increases binary size by about 0.1 kB (MIPS) and requires
+ additional 62 kB (MIPS) for a shared zlib library.
+
+config DROPBEAR_UTMP
+ bool "Utmp support"
+ depends on BUSYBOX_CONFIG_FEATURE_UTMP
+ help
+ This enables dropbear utmp support, the file /var/run/utmp is
+ used to track who is currently logged in.
+
+config DROPBEAR_PUTUTLINE
+ bool "Pututline support"
+ depends on DROPBEAR_UTMP
+ help
+ Dropbear will use pututline() to write the utmp structure into
+ the utmp file.
+
+config DROPBEAR_DBCLIENT
+ bool "Build dropbear with dbclient"
+ default y
+
+config DROPBEAR_DBCLIENT_AGENTFORWARD
+ bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
+ default y
+ depends on DROPBEAR_DBCLIENT
+ help
+ Increases binary size by about 0.1 kB (MIPS).
+
+ Security notes:
+
+ SSH agent forwarding might cause security issues (locally and
+ on the jump machine).
+
+ Hovewer, it's enabled by default for compatibility with
+ previous OpenWrt/dropbear releases.
+
+ Consider DISABLING this option if you're building own OpenWrt
+ image.
+
+ Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
+ server itself).
+
+config DROPBEAR_SCP
+ bool "Build dropbear with scp"
+ default y
+
+config DROPBEAR_ASKPASS
+ bool "Enable askpass helper support"
+ depends on DROPBEAR_DBCLIENT
+ help
+ This enables support for ssh-askpass helper in dropbear client
+ in order to authenticate on remote hosts.
+
+ Increases binary size by about 0.1 kB (MIPS).
+
+config DROPBEAR_AGENTFORWARD
+ bool "Enable agent forwarding [LEGACY/SECURITY]"
+ default y
+ help
+ Increases binary size by about 0.1 kB (MIPS).
+
+ Security notes:
+
+ SSH agent forwarding might cause security issues (locally and
+ on the jump machine).
+
+ Hovewer, it's enabled by default for compatibility with
+ previous OpenWrt/dropbear releases.
+
+ Consider DISABLING this option if you're building own OpenWrt
+ image.
+
+ Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
+ dropbear client) if DROPBEAR_DBCLIENT is selected.
+
+config DROPBEAR_MODERN_ONLY
+ bool "Use modern crypto only [BREAKS COMPATIBILITY]"
+ select DROPBEAR_ED25519
+ select DROPBEAR_CURVE25519
+ select DROPBEAR_CHACHA20POLY1305
+ help
+ This option enables:
+ - Chacha20-Poly1305
+ - Curve25519
+ - Ed25519
+ and disables:
+ - AES
+ - RSA
+ - SHA1
+
+ Reduces binary size by about 64 kB (MIPS) from default
+ configuration.
- Increases binary size by about 23 kB (MIPS).
+ Consider enabling this option if you're building own OpenWrt
+ image and using modern SSH software everywhere.
endmenu