Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root password is set (e.g. after reset, flashing without keeping config or in failsafe) and removes telnet support alltogether. Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46809
This commit is contained in:
parent
b850e1e59f
commit
d196b1fc2e
9 changed files with 49 additions and 48 deletions
|
@ -10,8 +10,7 @@ then
|
||||||
else
|
else
|
||||||
cat << EOF
|
cat << EOF
|
||||||
=== IMPORTANT ============================
|
=== IMPORTANT ============================
|
||||||
Use 'passwd' to set your login password
|
Use 'passwd' to set your login password!
|
||||||
this will disable telnet and enable SSH
|
|
||||||
------------------------------------------
|
------------------------------------------
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# Copyright (C) 2006 OpenWrt.org
|
# Copyright (C) 2006-2015 OpenWrt.org
|
||||||
# Copyright (C) 2010 Vertical Communications
|
# Copyright (C) 2010 Vertical Communications
|
||||||
|
|
||||||
failsafe_netlogin () {
|
failsafe_netlogin () {
|
||||||
telnetd -l /bin/login.sh <> /dev/null 2>&1
|
dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
|
||||||
|
dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
|
||||||
failsafe_shell() {
|
failsafe_shell() {
|
||||||
|
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=dropbear
|
PKG_NAME:=dropbear
|
||||||
PKG_VERSION:=2015.68
|
PKG_VERSION:=2015.68
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=2
|
||||||
|
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
PKG_SOURCE_URL:= \
|
PKG_SOURCE_URL:= \
|
||||||
|
|
|
@ -18,6 +18,17 @@
|
||||||
|
|
||||||
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
||||||
#define ENABLE_USER_ALGO_LIST
|
#define ENABLE_USER_ALGO_LIST
|
||||||
|
@@ -95,8 +95,8 @@ much traffic. */
|
||||||
|
#define DROPBEAR_AES256
|
||||||
|
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
||||||
|
/*#define DROPBEAR_BLOWFISH*/
|
||||||
|
-#define DROPBEAR_TWOFISH256
|
||||||
|
-#define DROPBEAR_TWOFISH128
|
||||||
|
+/*#define DROPBEAR_TWOFISH256*/
|
||||||
|
+/*#define DROPBEAR_TWOFISH128*/
|
||||||
|
|
||||||
|
/* Enable CBC mode for ciphers. This has security issues though
|
||||||
|
* is the most compatible with older SSH implementations */
|
||||||
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
|
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
|
||||||
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
||||||
* which are not the standard form. */
|
* which are not the standard form. */
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
--- a/svr-auth.c
|
||||||
|
+++ b/svr-auth.c
|
||||||
|
@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
|
||||||
|
AUTH_METHOD_NONE_LEN) == 0) {
|
||||||
|
TRACE(("recv_msg_userauth_request: 'none' request"))
|
||||||
|
if (valid_user
|
||||||
|
- && svr_opts.allowblankpass
|
||||||
|
+ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
|
||||||
|
&& !svr_opts.noauthpass
|
||||||
|
&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
|
||||||
|
&& ses.authstate.pw_passwd[0] == '\0')
|
|
@ -0,0 +1,18 @@
|
||||||
|
--- a/svr-runopts.c
|
||||||
|
+++ b/svr-runopts.c
|
||||||
|
@@ -475,6 +475,7 @@ void load_all_hostkeys() {
|
||||||
|
m_free(hostkey_file);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (svr_opts.num_hostkey_files <= 0) {
|
||||||
|
#ifdef DROPBEAR_RSA
|
||||||
|
loadhostkey(RSA_PRIV_FILENAME, 0);
|
||||||
|
#endif
|
||||||
|
@@ -486,6 +487,7 @@ void load_all_hostkeys() {
|
||||||
|
#ifdef DROPBEAR_ECDSA
|
||||||
|
loadhostkey(ECDSA_PRIV_FILENAME, 0);
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
|
||||||
|
#ifdef DROPBEAR_DELAY_HOSTKEY
|
||||||
|
if (svr_opts.delay_hostkey) {
|
|
@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
|
||||||
default n
|
default n
|
||||||
config BUSYBOX_DEFAULT_TELNET
|
config BUSYBOX_DEFAULT_TELNET
|
||||||
bool
|
bool
|
||||||
default y
|
default n
|
||||||
config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
|
config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
|
||||||
bool
|
bool
|
||||||
default y
|
default n
|
||||||
config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
|
config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
|
||||||
bool
|
bool
|
||||||
default n
|
default n
|
||||||
config BUSYBOX_DEFAULT_TELNETD
|
config BUSYBOX_DEFAULT_TELNETD
|
||||||
bool
|
bool
|
||||||
default y
|
default n
|
||||||
config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
|
config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
|
||||||
bool
|
bool
|
||||||
default y
|
default n
|
||||||
config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
|
config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
|
||||||
bool
|
bool
|
||||||
default n
|
default n
|
||||||
|
|
|
@ -110,7 +110,6 @@ define Package/busybox/install
|
||||||
$(INSTALL_DIR) $(1)/etc/init.d
|
$(INSTALL_DIR) $(1)/etc/init.d
|
||||||
$(CP) $(PKG_INSTALL_DIR)/* $(1)/
|
$(CP) $(PKG_INSTALL_DIR)/* $(1)/
|
||||||
$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
|
$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
|
||||||
$(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
|
|
||||||
$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
|
$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
|
||||||
$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
|
$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
|
||||||
-rm -rf $(1)/lib64
|
-rm -rf $(1)/lib64
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
#!/bin/sh /etc/rc.common
|
|
||||||
# Copyright (C) 2006-2011 OpenWrt.org
|
|
||||||
|
|
||||||
START=50
|
|
||||||
|
|
||||||
USE_PROCD=1
|
|
||||||
PROG=/usr/sbin/telnetd
|
|
||||||
|
|
||||||
has_root_pwd() {
|
|
||||||
local pwd=$([ -f "$1" ] && cat "$1")
|
|
||||||
pwd="${pwd#*root:}"
|
|
||||||
pwd="${pwd%%:*}"
|
|
||||||
|
|
||||||
test -n "${pwd#[\!x]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
get_root_home() {
|
|
||||||
local homedir=$([ -f "$1" ] && cat "$1")
|
|
||||||
homedir="${homedir#*:*:0:0:*:}"
|
|
||||||
|
|
||||||
echo "${homedir%%:*}"
|
|
||||||
}
|
|
||||||
|
|
||||||
has_ssh_pubkey() {
|
|
||||||
( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
|
|
||||||
( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
|
|
||||||
}
|
|
||||||
|
|
||||||
start_service() {
|
|
||||||
if ( ! has_ssh_pubkey && \
|
|
||||||
! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
|
|
||||||
( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
|
|
||||||
then
|
|
||||||
procd_open_instance
|
|
||||||
procd_set_param command "$PROG" -F -l /bin/login.sh
|
|
||||||
procd_close_instance
|
|
||||||
fi
|
|
||||||
}
|
|
Loading…
Reference in a new issue