Disable telnet in favor of passwordless SSH

This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46809
This commit is contained in:
Steven Barth 2015-09-07 19:29:25 +00:00
parent b850e1e59f
commit d196b1fc2e
9 changed files with 49 additions and 48 deletions

View file

@ -10,8 +10,7 @@ then
else else
cat << EOF cat << EOF
=== IMPORTANT ============================ === IMPORTANT ============================
Use 'passwd' to set your login password Use 'passwd' to set your login password!
this will disable telnet and enable SSH
------------------------------------------ ------------------------------------------
EOF EOF
fi fi

View file

@ -1,9 +1,10 @@
#!/bin/sh #!/bin/sh
# Copyright (C) 2006 OpenWrt.org # Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications # Copyright (C) 2010 Vertical Communications
failsafe_netlogin () { failsafe_netlogin () {
telnetd -l /bin/login.sh <> /dev/null 2>&1 dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
} }
failsafe_shell() { failsafe_shell() {

View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear PKG_NAME:=dropbear
PKG_VERSION:=2015.68 PKG_VERSION:=2015.68
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \

View file

@ -18,6 +18,17 @@
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#define ENABLE_USER_ALGO_LIST #define ENABLE_USER_ALGO_LIST
@@ -95,8 +95,8 @@ much traffic. */
#define DROPBEAR_AES256
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
/*#define DROPBEAR_BLOWFISH*/
-#define DROPBEAR_TWOFISH256
-#define DROPBEAR_TWOFISH128
+/*#define DROPBEAR_TWOFISH256*/
+/*#define DROPBEAR_TWOFISH128*/
/* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe @@ -131,9 +131,9 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */ * which are not the standard form. */

View file

@ -0,0 +1,11 @@
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user
- && svr_opts.allowblankpass
+ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
&& !svr_opts.noauthpass
&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
&& ses.authstate.pw_passwd[0] == '\0')

View file

@ -0,0 +1,18 @@
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -475,6 +475,7 @@ void load_all_hostkeys() {
m_free(hostkey_file);
}
+ if (svr_opts.num_hostkey_files <= 0) {
#ifdef DROPBEAR_RSA
loadhostkey(RSA_PRIV_FILENAME, 0);
#endif
@@ -486,6 +487,7 @@ void load_all_hostkeys() {
#ifdef DROPBEAR_ECDSA
loadhostkey(ECDSA_PRIV_FILENAME, 0);
#endif
+ }
#ifdef DROPBEAR_DELAY_HOSTKEY
if (svr_opts.delay_hostkey) {

View file

@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
default n default n
config BUSYBOX_DEFAULT_TELNET config BUSYBOX_DEFAULT_TELNET
bool bool
default y default n
config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
bool bool
default y default n
config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
bool bool
default n default n
config BUSYBOX_DEFAULT_TELNETD config BUSYBOX_DEFAULT_TELNETD
bool bool
default y default n
config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
bool bool
default y default n
config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
bool bool
default n default n

View file

@ -110,7 +110,6 @@ define Package/busybox/install
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/* $(1)/ $(CP) $(PKG_INSTALL_DIR)/* $(1)/
$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron $(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
$(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
-rm -rf $(1)/lib64 -rm -rf $(1)/lib64

View file

@ -1,38 +0,0 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org
START=50
USE_PROCD=1
PROG=/usr/sbin/telnetd
has_root_pwd() {
local pwd=$([ -f "$1" ] && cat "$1")
pwd="${pwd#*root:}"
pwd="${pwd%%:*}"
test -n "${pwd#[\!x]}"
}
get_root_home() {
local homedir=$([ -f "$1" ] && cat "$1")
homedir="${homedir#*:*:0:0:*:}"
echo "${homedir%%:*}"
}
has_ssh_pubkey() {
( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
}
start_service() {
if ( ! has_ssh_pubkey && \
! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
then
procd_open_instance
procd_set_param command "$PROG" -F -l /bin/login.sh
procd_close_instance
fi
}