diff options
author | Matt Johnston <matt@ucc.asn.au> | 2022-01-30 10:14:56 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2022-01-30 10:14:56 +0800 |
commit | deb2ed63d904e8baf586bf97d494706ed58e7a9b (patch) | |
tree | c7199ab70fad3d27994e165c46b797f27c50d885 /default_options.h | |
parent | 0d62392b5cd34331d3c5de84a8f398ef5e706ff2 (diff) | |
download | dropbear-deb2ed63d904e8baf586bf97d494706ed58e7a9b.tar.gz |
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
Diffstat (limited to 'default_options.h')
-rw-r--r-- | default_options.h | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/default_options.h b/default_options.h index 62f2a39..aa9df78 100644 --- a/default_options.h +++ b/default_options.h @@ -37,7 +37,14 @@ IMPORTANT: Some options will require "make clean" after changes */ #define NON_INETD_MODE 1 #define INETD_MODE 1 -/* Include verbose debug output, enabled with -v at runtime. +/* By default Dropbear will re-execute itself for each incoming connection so + that memory layout may be re-randomised (ASLR) - exploiting + vulnerabilities becomes harder. Re-exec causes slightly more memory use + per connection. + This option is ignored on non-Linux platforms at present */ +#define DROPBEAR_REEXEC 1 + +/* Include verbose debug output, enabled with -v at runtime. * This will add a reasonable amount to your executable size. */ #define DEBUG_TRACE 0 |