update dropbear to 0.47 (adds keyboard-interactive auth, fixes a potential security...
authorFelix Fietkau <nbd@openwrt.org>
Tue, 13 Dec 2005 19:15:43 +0000 (19:15 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Tue, 13 Dec 2005 19:15:43 +0000 (19:15 +0000)
SVN-Revision: 2660

12 files changed:
openwrt/package/dropbear/Config.in
openwrt/package/dropbear/Makefile
openwrt/package/dropbear/patches/100-pubkey_path.patch [new file with mode: 0644]
openwrt/package/dropbear/patches/110-change_user.patch [new file with mode: 0644]
openwrt/package/dropbear/patches/120-hostkey_prompt.patch [new file with mode: 0644]
openwrt/package/dropbear/patches/130-scp_argument.patch [new file with mode: 0644]
openwrt/package/dropbear/patches/140-use_dev_urandom.patch [new file with mode: 0644]
openwrt/package/dropbear/patches/authpubkey.patch [deleted file]
openwrt/package/dropbear/patches/change-user.patch [deleted file]
openwrt/package/dropbear/patches/hostkey-prompt.patch [deleted file]
openwrt/package/dropbear/patches/scp-argument-fix.patch [deleted file]
openwrt/package/dropbear/patches/use-dev-urandom.patch [deleted file]

index 0c4b2f4527f0e4c6fc4f278cf5fcb59d17733bc0..54d7284eedcb31a019dedd14d28835e706e8911b 100644 (file)
@@ -1,10 +1,9 @@
 config BR2_PACKAGE_DROPBEAR
-       prompt "dropbear.......................... Small SSH 2 client/server"
-       tristate
+       tristate "dropbear - Small SSH 2 client/server"
        default y
        select BR2_PACKAGE_ZLIB
        help
          A small SSH 2 server/client designed for small memory environments.
          
          http://matt.ucc.asn.au/dropbear/
-
+         
index e7144a60dfa75795d34ea314405569e37d9acde1..36548877db25c57343bc517cab16a6dda96239c1 100644 (file)
@@ -3,9 +3,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=0.46
+PKG_VERSION:=0.47
 PKG_RELEASE:=1
-PKG_MD5SUM:=f0e535a62b57e5bde9ecba4a11402178
+PKG_MD5SUM:=cf634614d52278d44dfd9c224a438bf2
 
 PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
diff --git a/openwrt/package/dropbear/patches/100-pubkey_path.patch b/openwrt/package/dropbear/patches/100-pubkey_path.patch
new file mode 100644 (file)
index 0000000..4adda38
--- /dev/null
@@ -0,0 +1,89 @@
+diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c
+--- dropbear.old/svr-authpubkey.c      2005-12-09 06:42:33.000000000 +0100
++++ dropbear.dev/svr-authpubkey.c      2005-12-12 01:35:32.139358750 +0100
+@@ -155,7 +155,6 @@
+               unsigned char* keyblob, unsigned int keybloblen) {
+       FILE * authfile = NULL;
+-      char * filename = NULL;
+       int ret = DROPBEAR_FAILURE;
+       buffer * line = NULL;
+       unsigned int len, pos;
+@@ -176,17 +175,8 @@
+               goto out;
+       }
+-      /* we don't need to check pw and pw_dir for validity, since
+-       * its been done in checkpubkeyperms. */
+-      len = strlen(ses.authstate.pw->pw_dir);
+-      /* allocate max required pathname storage,
+-       * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-      filename = m_malloc(len + 22);
+-      snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
+-                              ses.authstate.pw->pw_dir);
+-
+       /* open the file */
+-      authfile = fopen(filename, "r");
++      authfile = fopen("/etc/dropbear/authorized_keys", "r");
+       if (authfile == NULL) {
+               goto out;
+       }
+@@ -247,7 +237,6 @@
+       if (line) {
+               buf_free(line);
+       }
+-      m_free(filename);
+       TRACE(("leave checkpubkey: ret=%d", ret))
+       return ret;
+ }
+@@ -255,12 +244,11 @@
+ /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
+  * DROPBEAR_FAILURE otherwise.
+- * Checks that the user's homedir, ~/.ssh, and
+- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
++ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys
++ * are all owned by either root or the user, and are
+  * g-w, o-w */
+ static int checkpubkeyperms() {
+-      char* filename = NULL; 
+       int ret = DROPBEAR_FAILURE;
+       unsigned int len;
+@@ -274,25 +262,11 @@
+               goto out;
+       }
+-      /* allocate max required pathname storage,
+-       * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-      filename = m_malloc(len + 22);
+-      strncpy(filename, ses.authstate.pw->pw_dir, len+1);
+-
+-      /* check ~ */
+-      if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-              goto out;
+-      }
+-
+-      /* check ~/.ssh */
+-      strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
+-      if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++      if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
+               goto out;
+       }
+-      /* now check ~/.ssh/authorized_keys */
+-      strncat(filename, "/authorized_keys", 16);
+-      if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++      if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
+               goto out;
+       }
+@@ -300,7 +274,6 @@
+       ret = DROPBEAR_SUCCESS;
+       
+ out:
+-      m_free(filename);
+       TRACE(("leave checkpubkeyperms"))
+       return ret;
diff --git a/openwrt/package/dropbear/patches/110-change_user.patch b/openwrt/package/dropbear/patches/110-change_user.patch
new file mode 100644 (file)
index 0000000..ac617e2
--- /dev/null
@@ -0,0 +1,19 @@
+diff -urN dropbear.old/svr-chansession.c dropbear.dev/svr-chansession.c
+--- dropbear.old/svr-chansession.c     2005-12-09 06:42:33.000000000 +0100
++++ dropbear.dev/svr-chansession.c     2005-12-12 01:42:38.982034750 +0100
+@@ -860,12 +860,12 @@
+       /* We can only change uid/gid as root ... */
+       if (getuid() == 0) {
+-              if ((setgid(ses.authstate.pw->pw_gid) < 0) ||
++              if ((ses.authstate.pw->pw_gid != 0) && ((setgid(ses.authstate.pw->pw_gid) < 0) ||
+                       (initgroups(ses.authstate.pw->pw_name, 
+-                                              ses.authstate.pw->pw_gid) < 0)) {
++                                              ses.authstate.pw->pw_gid) < 0))) {
+                       dropbear_exit("error changing user group");
+               }
+-              if (setuid(ses.authstate.pw->pw_uid) < 0) {
++              if ((ses.authstate.pw->pw_uid != 0) && (setuid(ses.authstate.pw->pw_uid) < 0)) {
+                       dropbear_exit("error changing user");
+               }
+       } else {
diff --git a/openwrt/package/dropbear/patches/120-hostkey_prompt.patch b/openwrt/package/dropbear/patches/120-hostkey_prompt.patch
new file mode 100644 (file)
index 0000000..59639e7
--- /dev/null
@@ -0,0 +1,12 @@
+diff -urN dropbear-0.45.old/cli-kex.c dropbear-0.45/cli-kex.c
+--- dropbear-0.45.old/cli-kex.c        2005-03-07 05:27:01.000000000 +0100
++++ dropbear-0.45/cli-kex.c    2005-03-25 11:13:57.000000000 +0100
+@@ -119,7 +119,7 @@
+       char response = 'z';
+       fp = sign_key_fingerprint(keyblob, keybloblen);
+-      fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n)\n", 
++      fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n) ", 
+                       cli_opts.remotehost, 
+                       fp);
diff --git a/openwrt/package/dropbear/patches/130-scp_argument.patch b/openwrt/package/dropbear/patches/130-scp_argument.patch
new file mode 100644 (file)
index 0000000..befba5d
--- /dev/null
@@ -0,0 +1,16 @@
+diff -urN dropbear-0.45.old/scp.c dropbear-0.45/scp.c
+--- dropbear-0.45.old/scp.c    2005-03-07 05:27:02.000000000 +0100
++++ dropbear-0.45/scp.c        2005-03-25 11:28:22.000000000 +0100
+@@ -249,9 +249,9 @@
+       args.list = NULL;
+       addargs(&args, "ssh");          /* overwritten with ssh_program */
+-      addargs(&args, "-x");
+-      addargs(&args, "-oForwardAgent no");
+-      addargs(&args, "-oClearAllForwardings yes");
++//    addargs(&args, "-x");
++//    addargs(&args, "-oForwardAgent no");
++//    addargs(&args, "-oClearAllForwardings yes");
+       fflag = tflag = 0;
+       while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
diff --git a/openwrt/package/dropbear/patches/140-use_dev_urandom.patch b/openwrt/package/dropbear/patches/140-use_dev_urandom.patch
new file mode 100644 (file)
index 0000000..e1424f5
--- /dev/null
@@ -0,0 +1,12 @@
+diff -urN dropbear-0.45.old/options.h dropbear-0.45/options.h
+--- dropbear-0.45.old/options.h        2005-03-14 17:12:22.000000000 +0100
++++ dropbear-0.45/options.h    2005-03-14 17:13:49.000000000 +0100
+@@ -143,7 +143,7 @@
+  * however significantly reduce the security of your ssh connections
+  * if the PRNG state becomes guessable - make sure you know what you are
+  * doing if you change this. */
+-#define DROPBEAR_RANDOM_DEV "/dev/random"
++#define DROPBEAR_RANDOM_DEV "/dev/urandom"
+ /* prngd must be manually set up to produce output */
+ /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
diff --git a/openwrt/package/dropbear/patches/authpubkey.patch b/openwrt/package/dropbear/patches/authpubkey.patch
deleted file mode 100644 (file)
index 07beefe..0000000
+++ /dev/null
@@ -1,73 +0,0 @@
---- dropbear-0.45.old/svr-authpubkey.c 2005-09-27 12:45:20.863639072 +0200
-+++ dropbear-0.45/svr-authpubkey.c     2005-09-27 13:15:09.066790872 +0200
-@@ -176,14 +176,10 @@
-               goto out;
-       }
--      /* we don't need to check pw and pw_dir for validity, since
--       * its been done in checkpubkeyperms. */
--      len = strlen(ses.authstate.pw->pw_dir);
-       /* allocate max required pathname storage,
--       * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--      filename = m_malloc(len + 22);
--      snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
--                              ses.authstate.pw->pw_dir);
-+       * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+      filename = m_malloc(30);
-+      strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-       /* open the file */
-       authfile = fopen(filename, "r");
-@@ -255,43 +251,33 @@
- /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
-  * DROPBEAR_FAILURE otherwise.
-- * Checks that the user's homedir, ~/.ssh, and
-- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
-+ * Checks that /etc, /etc/dropbear and /etc/dropbear/authorized_keys
-+ * are all owned by either root or the user, and are
-  * g-w, o-w */
- static int checkpubkeyperms() {
-       char* filename = NULL; 
-       int ret = DROPBEAR_FAILURE;
--      unsigned int len;
-       TRACE(("enter checkpubkeyperms"))
--      assert(ses.authstate.pw);
--      if (ses.authstate.pw->pw_dir == NULL) {
--              goto out;
--      }
--
--      if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) {
--              goto out;
--      }
--
-       /* allocate max required pathname storage,
--       * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--      filename = m_malloc(len + 22);
--      strncpy(filename, ses.authstate.pw->pw_dir, len+1);
-+       * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+      filename = m_malloc(30);
-+      strncpy(filename, "/etc", 4); /* strlen("/etc") == 4 */
--      /* check ~ */
-+      /* check /etc */
-       if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-               goto out;
-       }
--      /* check ~/.ssh */
--      strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
-+      /* check /etc/dropbear */
-+      strncat(filename, "/dropbear", 9); /* strlen("/dropbear") == 9 */
-       if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-               goto out;
-       }
--      /* now check ~/.ssh/authorized_keys */
-+      /* now check /etc/dropbear/authorized_keys */
-       strncat(filename, "/authorized_keys", 16);
-       if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-               goto out;
diff --git a/openwrt/package/dropbear/patches/change-user.patch b/openwrt/package/dropbear/patches/change-user.patch
deleted file mode 100644 (file)
index 5ab4a56..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -ruN dropbear-0.46-old/svr-chansession.c dropbear-0.46-new/svr-chansession.c
---- dropbear-0.46-old/svr-chansession.c        2005-07-08 21:20:59.000000000 +0200
-+++ dropbear-0.46-new/svr-chansession.c        2005-07-12 01:39:12.000000000 +0200
-@@ -860,12 +860,12 @@
-       /* We can only change uid/gid as root ... */
-       if (getuid() == 0) {
--              if ((setgid(ses.authstate.pw->pw_gid) < 0) ||
-+              if ((ses.authstate.pw->pw_gid != 0) && ((setgid(ses.authstate.pw->pw_gid) < 0) ||
-                       (initgroups(ses.authstate.pw->pw_name, 
--                                              ses.authstate.pw->pw_gid) < 0)) {
-+                                              ses.authstate.pw->pw_gid) < 0))) {
-                       dropbear_exit("error changing user group");
-               }
--              if (setuid(ses.authstate.pw->pw_uid) < 0) {
-+              if ((ses.authstate.pw->pw_uid != 0) && (setuid(ses.authstate.pw->pw_uid) < 0)) {
-                       dropbear_exit("error changing user");
-               }
-       } else {
diff --git a/openwrt/package/dropbear/patches/hostkey-prompt.patch b/openwrt/package/dropbear/patches/hostkey-prompt.patch
deleted file mode 100644 (file)
index 59639e7..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -urN dropbear-0.45.old/cli-kex.c dropbear-0.45/cli-kex.c
---- dropbear-0.45.old/cli-kex.c        2005-03-07 05:27:01.000000000 +0100
-+++ dropbear-0.45/cli-kex.c    2005-03-25 11:13:57.000000000 +0100
-@@ -119,7 +119,7 @@
-       char response = 'z';
-       fp = sign_key_fingerprint(keyblob, keybloblen);
--      fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n)\n", 
-+      fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n) ", 
-                       cli_opts.remotehost, 
-                       fp);
diff --git a/openwrt/package/dropbear/patches/scp-argument-fix.patch b/openwrt/package/dropbear/patches/scp-argument-fix.patch
deleted file mode 100644 (file)
index befba5d..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -urN dropbear-0.45.old/scp.c dropbear-0.45/scp.c
---- dropbear-0.45.old/scp.c    2005-03-07 05:27:02.000000000 +0100
-+++ dropbear-0.45/scp.c        2005-03-25 11:28:22.000000000 +0100
-@@ -249,9 +249,9 @@
-       args.list = NULL;
-       addargs(&args, "ssh");          /* overwritten with ssh_program */
--      addargs(&args, "-x");
--      addargs(&args, "-oForwardAgent no");
--      addargs(&args, "-oClearAllForwardings yes");
-+//    addargs(&args, "-x");
-+//    addargs(&args, "-oForwardAgent no");
-+//    addargs(&args, "-oClearAllForwardings yes");
-       fflag = tflag = 0;
-       while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
diff --git a/openwrt/package/dropbear/patches/use-dev-urandom.patch b/openwrt/package/dropbear/patches/use-dev-urandom.patch
deleted file mode 100644 (file)
index e1424f5..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -urN dropbear-0.45.old/options.h dropbear-0.45/options.h
---- dropbear-0.45.old/options.h        2005-03-14 17:12:22.000000000 +0100
-+++ dropbear-0.45/options.h    2005-03-14 17:13:49.000000000 +0100
-@@ -143,7 +143,7 @@
-  * however significantly reduce the security of your ssh connections
-  * if the PRNG state becomes guessable - make sure you know what you are
-  * doing if you change this. */
--#define DROPBEAR_RANDOM_DEV "/dev/random"
-+#define DROPBEAR_RANDOM_DEV "/dev/urandom"
- /* prngd must be manually set up to produce output */
- /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/