From b9a3554f4a82fbbe8e4147399bb69b048b01c835 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 13 Dec 2005 19:15:43 +0000 Subject: [PATCH] update dropbear to 0.47 (adds keyboard-interactive auth, fixes a potential security issue, fixes #59) SVN-Revision: 2660 --- openwrt/package/dropbear/Config.in | 5 +- openwrt/package/dropbear/Makefile | 4 +- .../dropbear/patches/100-pubkey_path.patch | 89 +++++++++++++++++++ ...hange-user.patch => 110-change_user.patch} | 6 +- ...-prompt.patch => 120-hostkey_prompt.patch} | 0 ...ument-fix.patch => 130-scp_argument.patch} | 0 ...random.patch => 140-use_dev_urandom.patch} | 0 .../package/dropbear/patches/authpubkey.patch | 73 --------------- 8 files changed, 96 insertions(+), 81 deletions(-) create mode 100644 openwrt/package/dropbear/patches/100-pubkey_path.patch rename openwrt/package/dropbear/patches/{change-user.patch => 110-change_user.patch} (71%) rename openwrt/package/dropbear/patches/{hostkey-prompt.patch => 120-hostkey_prompt.patch} (100%) rename openwrt/package/dropbear/patches/{scp-argument-fix.patch => 130-scp_argument.patch} (100%) rename openwrt/package/dropbear/patches/{use-dev-urandom.patch => 140-use_dev_urandom.patch} (100%) delete mode 100644 openwrt/package/dropbear/patches/authpubkey.patch diff --git a/openwrt/package/dropbear/Config.in b/openwrt/package/dropbear/Config.in index 0c4b2f4527..54d7284eed 100644 --- a/openwrt/package/dropbear/Config.in +++ b/openwrt/package/dropbear/Config.in @@ -1,10 +1,9 @@ config BR2_PACKAGE_DROPBEAR - prompt "dropbear.......................... Small SSH 2 client/server" - tristate + tristate "dropbear - Small SSH 2 client/server" default y select BR2_PACKAGE_ZLIB help A small SSH 2 server/client designed for small memory environments. http://matt.ucc.asn.au/dropbear/ - + diff --git a/openwrt/package/dropbear/Makefile b/openwrt/package/dropbear/Makefile index e7144a60df..36548877db 100644 --- a/openwrt/package/dropbear/Makefile +++ b/openwrt/package/dropbear/Makefile @@ -3,9 +3,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=0.46 +PKG_VERSION:=0.47 PKG_RELEASE:=1 -PKG_MD5SUM:=f0e535a62b57e5bde9ecba4a11402178 +PKG_MD5SUM:=cf634614d52278d44dfd9c224a438bf2 PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 diff --git a/openwrt/package/dropbear/patches/100-pubkey_path.patch b/openwrt/package/dropbear/patches/100-pubkey_path.patch new file mode 100644 index 0000000000..4adda38b2b --- /dev/null +++ b/openwrt/package/dropbear/patches/100-pubkey_path.patch @@ -0,0 +1,89 @@ +diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c +--- dropbear.old/svr-authpubkey.c 2005-12-09 06:42:33.000000000 +0100 ++++ dropbear.dev/svr-authpubkey.c 2005-12-12 01:35:32.139358750 +0100 +@@ -155,7 +155,6 @@ + unsigned char* keyblob, unsigned int keybloblen) { + + FILE * authfile = NULL; +- char * filename = NULL; + int ret = DROPBEAR_FAILURE; + buffer * line = NULL; + unsigned int len, pos; +@@ -176,17 +175,8 @@ + goto out; + } + +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw->pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw->pw_dir); +- + /* open the file */ +- authfile = fopen(filename, "r"); ++ authfile = fopen("/etc/dropbear/authorized_keys", "r"); + if (authfile == NULL) { + goto out; + } +@@ -247,7 +237,6 @@ + if (line) { + buf_free(line); + } +- m_free(filename); + TRACE(("leave checkpubkey: ret=%d", ret)) + return ret; + } +@@ -255,12 +244,11 @@ + + /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok, + * DROPBEAR_FAILURE otherwise. +- * Checks that the user's homedir, ~/.ssh, and +- * ~/.ssh/authorized_keys are all owned by either root or the user, and are ++ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys ++ * are all owned by either root or the user, and are + * g-w, o-w */ + static int checkpubkeyperms() { + +- char* filename = NULL; + int ret = DROPBEAR_FAILURE; + unsigned int len; + +@@ -274,25 +262,11 @@ + goto out; + } + +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw->pw_dir, len+1); +- +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { + goto out; + } + +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { + goto out; + } + +@@ -300,7 +274,6 @@ + ret = DROPBEAR_SUCCESS; + + out: +- m_free(filename); + + TRACE(("leave checkpubkeyperms")) + return ret; diff --git a/openwrt/package/dropbear/patches/change-user.patch b/openwrt/package/dropbear/patches/110-change_user.patch similarity index 71% rename from openwrt/package/dropbear/patches/change-user.patch rename to openwrt/package/dropbear/patches/110-change_user.patch index 5ab4a56899..ac617e2806 100644 --- a/openwrt/package/dropbear/patches/change-user.patch +++ b/openwrt/package/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ -diff -ruN dropbear-0.46-old/svr-chansession.c dropbear-0.46-new/svr-chansession.c ---- dropbear-0.46-old/svr-chansession.c 2005-07-08 21:20:59.000000000 +0200 -+++ dropbear-0.46-new/svr-chansession.c 2005-07-12 01:39:12.000000000 +0200 +diff -urN dropbear.old/svr-chansession.c dropbear.dev/svr-chansession.c +--- dropbear.old/svr-chansession.c 2005-12-09 06:42:33.000000000 +0100 ++++ dropbear.dev/svr-chansession.c 2005-12-12 01:42:38.982034750 +0100 @@ -860,12 +860,12 @@ /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/openwrt/package/dropbear/patches/hostkey-prompt.patch b/openwrt/package/dropbear/patches/120-hostkey_prompt.patch similarity index 100% rename from openwrt/package/dropbear/patches/hostkey-prompt.patch rename to openwrt/package/dropbear/patches/120-hostkey_prompt.patch diff --git a/openwrt/package/dropbear/patches/scp-argument-fix.patch b/openwrt/package/dropbear/patches/130-scp_argument.patch similarity index 100% rename from openwrt/package/dropbear/patches/scp-argument-fix.patch rename to openwrt/package/dropbear/patches/130-scp_argument.patch diff --git a/openwrt/package/dropbear/patches/use-dev-urandom.patch b/openwrt/package/dropbear/patches/140-use_dev_urandom.patch similarity index 100% rename from openwrt/package/dropbear/patches/use-dev-urandom.patch rename to openwrt/package/dropbear/patches/140-use_dev_urandom.patch diff --git a/openwrt/package/dropbear/patches/authpubkey.patch b/openwrt/package/dropbear/patches/authpubkey.patch deleted file mode 100644 index 07beefe714..0000000000 --- a/openwrt/package/dropbear/patches/authpubkey.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- dropbear-0.45.old/svr-authpubkey.c 2005-09-27 12:45:20.863639072 +0200 -+++ dropbear-0.45/svr-authpubkey.c 2005-09-27 13:15:09.066790872 +0200 -@@ -176,14 +176,10 @@ - goto out; - } - -- /* we don't need to check pw and pw_dir for validity, since -- * its been done in checkpubkeyperms. */ -- len = strlen(ses.authstate.pw->pw_dir); - /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -- ses.authstate.pw->pw_dir); -+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */ -+ filename = m_malloc(30); -+ strncpy(filename, "/etc/dropbear/authorized_keys", 30); - - /* open the file */ - authfile = fopen(filename, "r"); -@@ -255,43 +251,33 @@ - - /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok, - * DROPBEAR_FAILURE otherwise. -- * Checks that the user's homedir, ~/.ssh, and -- * ~/.ssh/authorized_keys are all owned by either root or the user, and are -+ * Checks that /etc, /etc/dropbear and /etc/dropbear/authorized_keys -+ * are all owned by either root or the user, and are - * g-w, o-w */ - static int checkpubkeyperms() { - - char* filename = NULL; - int ret = DROPBEAR_FAILURE; -- unsigned int len; - - TRACE(("enter checkpubkeyperms")) - -- assert(ses.authstate.pw); -- if (ses.authstate.pw->pw_dir == NULL) { -- goto out; -- } -- -- if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) { -- goto out; -- } -- - /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- strncpy(filename, ses.authstate.pw->pw_dir, len+1); -+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */ -+ filename = m_malloc(30); -+ strncpy(filename, "/etc", 4); /* strlen("/etc") == 4 */ - -- /* check ~ */ -+ /* check /etc */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } - -- /* check ~/.ssh */ -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ -+ /* check /etc/dropbear */ -+ strncat(filename, "/dropbear", 9); /* strlen("/dropbear") == 9 */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } - -- /* now check ~/.ssh/authorized_keys */ -+ /* now check /etc/dropbear/authorized_keys */ - strncat(filename, "/authorized_keys", 16); - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out;