mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-11-26 10:40:22 +02:00
update dropbear to 0.47 (adds keyboard-interactive auth, fixes a potential security issue, fixes #59)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@2660 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
74f6ae6140
commit
b59790f654
@ -1,6 +1,5 @@
|
|||||||
config BR2_PACKAGE_DROPBEAR
|
config BR2_PACKAGE_DROPBEAR
|
||||||
prompt "dropbear.......................... Small SSH 2 client/server"
|
tristate "dropbear - Small SSH 2 client/server"
|
||||||
tristate
|
|
||||||
default y
|
default y
|
||||||
select BR2_PACKAGE_ZLIB
|
select BR2_PACKAGE_ZLIB
|
||||||
help
|
help
|
||||||
|
@ -3,9 +3,9 @@
|
|||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=dropbear
|
PKG_NAME:=dropbear
|
||||||
PKG_VERSION:=0.46
|
PKG_VERSION:=0.47
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=1
|
||||||
PKG_MD5SUM:=f0e535a62b57e5bde9ecba4a11402178
|
PKG_MD5SUM:=cf634614d52278d44dfd9c224a438bf2
|
||||||
|
|
||||||
PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/
|
PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
|
89
openwrt/package/dropbear/patches/100-pubkey_path.patch
Normal file
89
openwrt/package/dropbear/patches/100-pubkey_path.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c
|
||||||
|
--- dropbear.old/svr-authpubkey.c 2005-12-09 06:42:33.000000000 +0100
|
||||||
|
+++ dropbear.dev/svr-authpubkey.c 2005-12-12 01:35:32.139358750 +0100
|
||||||
|
@@ -155,7 +155,6 @@
|
||||||
|
unsigned char* keyblob, unsigned int keybloblen) {
|
||||||
|
|
||||||
|
FILE * authfile = NULL;
|
||||||
|
- char * filename = NULL;
|
||||||
|
int ret = DROPBEAR_FAILURE;
|
||||||
|
buffer * line = NULL;
|
||||||
|
unsigned int len, pos;
|
||||||
|
@@ -176,17 +175,8 @@
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* we don't need to check pw and pw_dir for validity, since
|
||||||
|
- * its been done in checkpubkeyperms. */
|
||||||
|
- len = strlen(ses.authstate.pw->pw_dir);
|
||||||
|
- /* allocate max required pathname storage,
|
||||||
|
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
|
||||||
|
- filename = m_malloc(len + 22);
|
||||||
|
- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
|
||||||
|
- ses.authstate.pw->pw_dir);
|
||||||
|
-
|
||||||
|
/* open the file */
|
||||||
|
- authfile = fopen(filename, "r");
|
||||||
|
+ authfile = fopen("/etc/dropbear/authorized_keys", "r");
|
||||||
|
if (authfile == NULL) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
@@ -247,7 +237,6 @@
|
||||||
|
if (line) {
|
||||||
|
buf_free(line);
|
||||||
|
}
|
||||||
|
- m_free(filename);
|
||||||
|
TRACE(("leave checkpubkey: ret=%d", ret))
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
@@ -255,12 +244,11 @@
|
||||||
|
|
||||||
|
/* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
|
||||||
|
* DROPBEAR_FAILURE otherwise.
|
||||||
|
- * Checks that the user's homedir, ~/.ssh, and
|
||||||
|
- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
|
||||||
|
+ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys
|
||||||
|
+ * are all owned by either root or the user, and are
|
||||||
|
* g-w, o-w */
|
||||||
|
static int checkpubkeyperms() {
|
||||||
|
|
||||||
|
- char* filename = NULL;
|
||||||
|
int ret = DROPBEAR_FAILURE;
|
||||||
|
unsigned int len;
|
||||||
|
|
||||||
|
@@ -274,25 +262,11 @@
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* allocate max required pathname storage,
|
||||||
|
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
|
||||||
|
- filename = m_malloc(len + 22);
|
||||||
|
- strncpy(filename, ses.authstate.pw->pw_dir, len+1);
|
||||||
|
-
|
||||||
|
- /* check ~ */
|
||||||
|
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* check ~/.ssh */
|
||||||
|
- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
|
||||||
|
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
|
||||||
|
+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* now check ~/.ssh/authorized_keys */
|
||||||
|
- strncat(filename, "/authorized_keys", 16);
|
||||||
|
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
|
||||||
|
+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -300,7 +274,6 @@
|
||||||
|
ret = DROPBEAR_SUCCESS;
|
||||||
|
|
||||||
|
out:
|
||||||
|
- m_free(filename);
|
||||||
|
|
||||||
|
TRACE(("leave checkpubkeyperms"))
|
||||||
|
return ret;
|
@ -1,6 +1,6 @@
|
|||||||
diff -ruN dropbear-0.46-old/svr-chansession.c dropbear-0.46-new/svr-chansession.c
|
diff -urN dropbear.old/svr-chansession.c dropbear.dev/svr-chansession.c
|
||||||
--- dropbear-0.46-old/svr-chansession.c 2005-07-08 21:20:59.000000000 +0200
|
--- dropbear.old/svr-chansession.c 2005-12-09 06:42:33.000000000 +0100
|
||||||
+++ dropbear-0.46-new/svr-chansession.c 2005-07-12 01:39:12.000000000 +0200
|
+++ dropbear.dev/svr-chansession.c 2005-12-12 01:42:38.982034750 +0100
|
||||||
@@ -860,12 +860,12 @@
|
@@ -860,12 +860,12 @@
|
||||||
/* We can only change uid/gid as root ... */
|
/* We can only change uid/gid as root ... */
|
||||||
if (getuid() == 0) {
|
if (getuid() == 0) {
|
@ -1,73 +0,0 @@
|
|||||||
--- dropbear-0.45.old/svr-authpubkey.c 2005-09-27 12:45:20.863639072 +0200
|
|
||||||
+++ dropbear-0.45/svr-authpubkey.c 2005-09-27 13:15:09.066790872 +0200
|
|
||||||
@@ -176,14 +176,10 @@
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* we don't need to check pw and pw_dir for validity, since
|
|
||||||
- * its been done in checkpubkeyperms. */
|
|
||||||
- len = strlen(ses.authstate.pw->pw_dir);
|
|
||||||
/* allocate max required pathname storage,
|
|
||||||
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
|
|
||||||
- filename = m_malloc(len + 22);
|
|
||||||
- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
|
|
||||||
- ses.authstate.pw->pw_dir);
|
|
||||||
+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
|
|
||||||
+ filename = m_malloc(30);
|
|
||||||
+ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
|
|
||||||
|
|
||||||
/* open the file */
|
|
||||||
authfile = fopen(filename, "r");
|
|
||||||
@@ -255,43 +251,33 @@
|
|
||||||
|
|
||||||
/* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
|
|
||||||
* DROPBEAR_FAILURE otherwise.
|
|
||||||
- * Checks that the user's homedir, ~/.ssh, and
|
|
||||||
- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
|
|
||||||
+ * Checks that /etc, /etc/dropbear and /etc/dropbear/authorized_keys
|
|
||||||
+ * are all owned by either root or the user, and are
|
|
||||||
* g-w, o-w */
|
|
||||||
static int checkpubkeyperms() {
|
|
||||||
|
|
||||||
char* filename = NULL;
|
|
||||||
int ret = DROPBEAR_FAILURE;
|
|
||||||
- unsigned int len;
|
|
||||||
|
|
||||||
TRACE(("enter checkpubkeyperms"))
|
|
||||||
|
|
||||||
- assert(ses.authstate.pw);
|
|
||||||
- if (ses.authstate.pw->pw_dir == NULL) {
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) {
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* allocate max required pathname storage,
|
|
||||||
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
|
|
||||||
- filename = m_malloc(len + 22);
|
|
||||||
- strncpy(filename, ses.authstate.pw->pw_dir, len+1);
|
|
||||||
+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
|
|
||||||
+ filename = m_malloc(30);
|
|
||||||
+ strncpy(filename, "/etc", 4); /* strlen("/etc") == 4 */
|
|
||||||
|
|
||||||
- /* check ~ */
|
|
||||||
+ /* check /etc */
|
|
||||||
if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* check ~/.ssh */
|
|
||||||
- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
|
|
||||||
+ /* check /etc/dropbear */
|
|
||||||
+ strncat(filename, "/dropbear", 9); /* strlen("/dropbear") == 9 */
|
|
||||||
if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* now check ~/.ssh/authorized_keys */
|
|
||||||
+ /* now check /etc/dropbear/authorized_keys */
|
|
||||||
strncat(filename, "/authorized_keys", 16);
|
|
||||||
if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
|
|
||||||
goto out;
|
|
Loading…
Reference in New Issue
Block a user