dropbear: minor config clarification
authorKonstantin Demin <rockdrilla@gmail.com>
Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)
committerRui Salvaterra <rsalvaterra@gmail.com>
Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
  and DROPBEAR_DBCLIENT_AGENTFORWARD:
  describe why and where it should be disabled

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
package/network/services/dropbear/Config.in

index d4644fc88f9582f4caa4e7915cc8ffd4992c3cea..449cc2a421dc7696bc50107b1ac3ffb714dc885c 100644 (file)
@@ -12,7 +12,6 @@ config DROPBEAR_CURVE25519
 
 config DROPBEAR_ECC
        bool "Elliptic curve cryptography (ECC)"
-       default n
        help
                Enables basic support for elliptic curve cryptography (ECC)
                in key exchange and public key authentication.
@@ -25,11 +24,10 @@ config DROPBEAR_ECC
 
                Increases binary size by about 24 kB (MIPS).
 
-               If full ECC support is required, also select DROPBEAR_ECC_FULL.
+               Note: select DROPBEAR_ECC_FULL if full ECC support is required.
 
 config DROPBEAR_ECC_FULL
        bool "Elliptic curve cryptography (ECC), full support"
-       default n
        depends on DROPBEAR_ECC
        help
                Enables full support for elliptic curve cryptography (ECC)
@@ -69,36 +67,50 @@ config DROPBEAR_CHACHA20POLY1305
 
 config DROPBEAR_ZLIB
        bool "Enable compression"
-       default n
        help
                Enables compression using shared zlib library.
 
-               Increases binary size by about 0.1 kB (MIPS) and requires additional 62 kB (MIPS)
-               for a shared zlib library.
+               Increases binary size by about 0.1 kB (MIPS) and requires
+               additional 62 kB (MIPS) for a shared zlib library.
 
 config DROPBEAR_UTMP
        bool "Utmp support"
-       default n
        depends on BUSYBOX_CONFIG_FEATURE_UTMP
        help
-               This enables dropbear utmp support, the file /var/run/utmp is used to
-               track who is currently logged in.
+               This enables dropbear utmp support, the file /var/run/utmp is
+               used to track who is currently logged in.
 
 config DROPBEAR_PUTUTLINE
        bool "Pututline support"
-       default n
        depends on DROPBEAR_UTMP
        help
-               Dropbear will use pututline() to write the utmp structure into the utmp file.
+               Dropbear will use pututline() to write the utmp structure into
+               the utmp file.
 
 config DROPBEAR_DBCLIENT
        bool "Build dropbear with dbclient"
        default y
 
 config DROPBEAR_DBCLIENT_AGENTFORWARD
-       bool "Enable agent forwarding in dbclient"
+       bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
        default y
        depends on DROPBEAR_DBCLIENT
+       help
+               Increases binary size by about 0.1 kB (MIPS).
+
+               Security notes:
+
+               SSH agent forwarding might cause security issues (locally and
+               on the jump machine).
+
+               Hovewer, it's enabled by default for compatibility with
+               previous OpenWrt/dropbear releases.
+
+               Consider DISABLING this option if you're building own OpenWrt
+               image.
+
+               Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
+               server itself).
 
 config DROPBEAR_SCP
        bool "Build dropbear with scp"
@@ -106,7 +118,6 @@ config DROPBEAR_SCP
 
 config DROPBEAR_ASKPASS
        bool "Enable askpass helper support"
-       default n
        depends on DROPBEAR_DBCLIENT
        help
                This enables support for ssh-askpass helper in dropbear client
@@ -115,7 +126,23 @@ config DROPBEAR_ASKPASS
                Increases binary size by about 0.1 kB (MIPS).
 
 config DROPBEAR_AGENTFORWARD
-       bool "Enable agent forwarding"
+       bool "Enable agent forwarding [LEGACY/SECURITY]"
        default y
+       help
+               Increases binary size by about 0.1 kB (MIPS).
+
+               Security notes:
+
+               SSH agent forwarding might cause security issues (locally and
+               on the jump machine).
+
+               Hovewer, it's enabled by default for compatibility with
+               previous OpenWrt/dropbear releases.
+
+               Consider DISABLING this option if you're building own OpenWrt
+               image.
+
+               Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
+               dropbear client) if DROPBEAR_DBCLIENT is selected.
 
 endmenu