dropbear: enable password auth
This commit is contained in:
Leonid Pliushch
Fredrik Fornwall
parent
b19653b13e
commit
0c79d1cc56
10
packages/dropbear/build.sh
Executable file → Normal file
10
packages/dropbear/build.sh
Executable file → Normal file
@ -3,16 +3,22 @@ TERMUX_PKG_DESCRIPTION="Small SSH server and client"
|
||||
TERMUX_PKG_DEPENDS="libutil"
|
||||
TERMUX_PKG_CONFLICTS="openssh"
|
||||
TERMUX_PKG_VERSION=2018.76
|
||||
TERMUX_PKG_REVISION=4
|
||||
TERMUX_PKG_REVISION=5
|
||||
TERMUX_PKG_SRCURL=https://matt.ucc.asn.au/dropbear/releases/dropbear-${TERMUX_PKG_VERSION}.tar.bz2
|
||||
TERMUX_PKG_SHA256=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65
|
||||
TERMUX_PKG_EXTRA_CONFIGURE_ARGS="--disable-syslog --disable-utmp --disable-utmpx --disable-wtmp"
|
||||
TERMUX_PKG_DEPENDS="termux-auth"
|
||||
TERMUX_PKG_BUILD_IN_SRC="yes"
|
||||
|
||||
TERMUX_PKG_EXTRA_CONFIGURE_ARGS="--disable-syslog --disable-utmp --disable-utmpx --disable-wtmp"
|
||||
# Avoid linking to libcrypt for server password authentication:
|
||||
TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" ac_cv_lib_crypt_crypt=no"
|
||||
# build a multi-call binary
|
||||
TERMUX_PKG_EXTRA_MAKE_ARGS="MULTI=1"
|
||||
|
||||
termux_step_pre_configure() {
|
||||
export LIBS="-ltermux-auth"
|
||||
}
|
||||
|
||||
termux_step_post_make_install() {
|
||||
ln -sf "dropbearmulti" "${TERMUX_PREFIX}/bin/ssh"
|
||||
}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_options.h
|
||||
--- dropbear-2018.76/default_options.h 2018-02-27 16:25:10.000000000 +0200
|
||||
+++ dropbear-2018.76.mod/default_options.h 2018-04-21 13:44:59.120396918 +0300
|
||||
+++ dropbear-2018.76.mod/default_options.h 2018-10-21 14:11:01.838918022 +0300
|
||||
@@ -13,15 +13,15 @@
|
||||
|
||||
IMPORTANT: Some options will require "make clean" after changes */
|
||||
@ -30,7 +30,7 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option
|
||||
|
||||
/* Enable X11 Forwarding - server only */
|
||||
#define DROPBEAR_X11FWD 1
|
||||
@@ -175,11 +175,11 @@
|
||||
@@ -175,7 +175,7 @@
|
||||
|
||||
/* Whether to print the message of the day (MOTD). */
|
||||
#define DO_MOTD 0
|
||||
@ -39,11 +39,6 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option
|
||||
|
||||
/* Authentication Types - at least one required.
|
||||
RFC Draft requires pubkey auth, and recommends password */
|
||||
-#define DROPBEAR_SVR_PASSWORD_AUTH 1
|
||||
+#undef DROPBEAR_SVR_PASSWORD_AUTH
|
||||
|
||||
/* Note: PAM auth is quite simple and only works for PAM modules which just do
|
||||
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
|
||||
@@ -222,7 +222,7 @@
|
||||
|
||||
/* Set this to use PRNGD or EGD instead of /dev/urandom */
|
||||
|
||||
93
packages/dropbear/svr-authpasswd.c.patch
Normal file
93
packages/dropbear/svr-authpasswd.c.patch
Normal file
@ -0,0 +1,93 @@
|
||||
diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd.c
|
||||
--- dropbear-2018.76/svr-authpasswd.c 2018-02-27 16:25:12.000000000 +0200
|
||||
+++ dropbear-2018.76.mod/svr-authpasswd.c 2018-10-21 14:05:37.774231619 +0300
|
||||
@@ -33,36 +33,13 @@
|
||||
|
||||
#if DROPBEAR_SVR_PASSWORD_AUTH
|
||||
|
||||
-/* not constant time when strings are differing lengths.
|
||||
- string content isn't leaked, and crypt hashes are predictable length. */
|
||||
-static int constant_time_strcmp(const char* a, const char* b) {
|
||||
- size_t la = strlen(a);
|
||||
- size_t lb = strlen(b);
|
||||
-
|
||||
- if (la != lb) {
|
||||
- return 1;
|
||||
- }
|
||||
-
|
||||
- return constant_time_memcmp(a, b, la);
|
||||
-}
|
||||
+#include <termux-auth.h>
|
||||
|
||||
/* Process a password auth request, sending success or failure messages as
|
||||
* appropriate */
|
||||
void svr_auth_password() {
|
||||
-
|
||||
- char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
|
||||
- char * testcrypt = NULL; /* crypt generated from the user's password sent */
|
||||
- char * password;
|
||||
- unsigned int passwordlen;
|
||||
-
|
||||
- unsigned int changepw;
|
||||
-
|
||||
- passwdcrypt = ses.authstate.pw_passwd;
|
||||
-
|
||||
-#ifdef DEBUG_HACKCRYPT
|
||||
- /* debugging crypt for non-root testing with shadows */
|
||||
- passwdcrypt = DEBUG_HACKCRYPT;
|
||||
-#endif
|
||||
+ char *password;
|
||||
+ unsigned int changepw, passwordlen;
|
||||
|
||||
/* check if client wants to change password */
|
||||
changepw = buf_getbool(ses.payload);
|
||||
@@ -72,43 +49,23 @@
|
||||
return;
|
||||
}
|
||||
|
||||
- password = buf_getstring(ses.payload, &passwordlen);
|
||||
-
|
||||
- /* the first bytes of passwdcrypt are the salt */
|
||||
- testcrypt = crypt(password, passwdcrypt);
|
||||
- m_burn(password, passwordlen);
|
||||
- m_free(password);
|
||||
-
|
||||
- if (testcrypt == NULL) {
|
||||
- /* crypt() with an invalid salt like "!!" */
|
||||
- dropbear_log(LOG_WARNING, "User account '%s' is locked",
|
||||
- ses.authstate.pw_name);
|
||||
- send_msg_userauth_failure(0, 1);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- /* check for empty password */
|
||||
- if (passwdcrypt[0] == '\0') {
|
||||
- dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
|
||||
- ses.authstate.pw_name);
|
||||
- send_msg_userauth_failure(0, 1);
|
||||
- return;
|
||||
- }
|
||||
+ password = buf_getstring(ses.payload, &passwordlen);
|
||||
|
||||
- if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) {
|
||||
+ /* check if password is valid */
|
||||
+ if (termux_auth(ses.authstate.pw_name, password)) {
|
||||
/* successful authentication */
|
||||
- dropbear_log(LOG_NOTICE,
|
||||
+ dropbear_log(LOG_NOTICE,
|
||||
"Password auth succeeded for '%s' from %s",
|
||||
ses.authstate.pw_name,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_success();
|
||||
- } else {
|
||||
+ } else {
|
||||
dropbear_log(LOG_WARNING,
|
||||
"Bad password attempt for '%s' from %s",
|
||||
ses.authstate.pw_name,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
- }
|
||||
+ }
|
||||
}
|
||||
|
||||
#endif
|
||||
@ -1,6 +1,6 @@
|
||||
diff -uNr dropbear-2018.76/sysoptions.h dropbear-2018.76.mod/sysoptions.h
|
||||
--- dropbear-2018.76/sysoptions.h 2018-02-27 16:25:12.000000000 +0200
|
||||
+++ dropbear-2018.76.mod/sysoptions.h 2018-04-21 13:48:41.227075019 +0300
|
||||
+++ dropbear-2018.76.mod/sysoptions.h 2018-10-21 13:49:10.558094478 +0300
|
||||
@@ -71,7 +71,7 @@
|
||||
|
||||
#define _PATH_TTY "/dev/tty"
|
||||
@ -10,3 +10,14 @@ diff -uNr dropbear-2018.76/sysoptions.h dropbear-2018.76.mod/sysoptions.h
|
||||
|
||||
#define DROPBEAR_ESCAPE_CHAR '~'
|
||||
|
||||
@@ -233,10 +233,6 @@
|
||||
#error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?"
|
||||
#endif
|
||||
|
||||
-#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
|
||||
- #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
|
||||
-#endif
|
||||
-
|
||||
#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
|
||||
#error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
|
||||
#endif
|
||||
|
||||
Loading…
Reference in New Issue
Block a user