dropbear: add config options for agent-forwarding support

* SSH agent forwarding might cause security issues, locally and on the jump machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to completely disabling it. * separate options for client and server * keep it enabled by default Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2021-07-16 00:44:53 +02:00 · 2021-07-16 00:44:53 +02:00 · 5287defa1f
commit 5287defa1f
parent 88a2ea41da
2 changed files with 13 additions and 1 deletions
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@ -95,6 +95,11 @@ config DROPBEAR_DBCLIENT
 	bool "Build dropbear with dbclient"
 	default y

+config DROPBEAR_DBCLIENT_AGENTFORWARD
+	bool "Enable agent forwarding in dbclient"
+	default y
+	depends on DROPBEAR_DBCLIENT
+
 config DROPBEAR_SCP
 	bool "Build dropbear with scp"
 	default y
@ -109,4 +114,8 @@ config DROPBEAR_ASKPASS

 		Increases binary size by about 0.1 kB (MIPS).

+config DROPBEAR_AGENTFORWARD
+	bool "Enable agent forwarding"
+	default y
+
 endmenu
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@ -32,7 +32,8 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
-	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS
+	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
+	CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD

 include $(INCLUDE_DIR)/package.mk

@ -135,6 +136,8 @@ DB_OPT_CONFIG = \
 	!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
 	!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \
 	DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \
+	DROPBEAR_CLI_AGENTFWD|CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD|1|0 \
+	DROPBEAR_SVR_AGENTFWD|CONFIG_DROPBEAR_AGENTFORWARD|1|0 \


 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto