summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>2005-12-13 19:15:43 +0000
committernbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>2005-12-13 19:15:43 +0000
commitb59790f654a2df0896a48054cc26f4f37188d123 (patch)
tree459e7f053037158fb0b00f5370d67d271da3c741
parent74f6ae6140b1d9d757841dd822263f94916b372e (diff)
update dropbear to 0.47 (adds keyboard-interactive auth, fixes a potential security issue, fixes #59)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@2660 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r--openwrt/package/dropbear/Config.in5
-rw-r--r--openwrt/package/dropbear/Makefile4
-rw-r--r--openwrt/package/dropbear/patches/100-pubkey_path.patch89
-rw-r--r--openwrt/package/dropbear/patches/110-change_user.patch (renamed from openwrt/package/dropbear/patches/change-user.patch)6
-rw-r--r--openwrt/package/dropbear/patches/120-hostkey_prompt.patch (renamed from openwrt/package/dropbear/patches/hostkey-prompt.patch)0
-rw-r--r--openwrt/package/dropbear/patches/130-scp_argument.patch (renamed from openwrt/package/dropbear/patches/scp-argument-fix.patch)0
-rw-r--r--openwrt/package/dropbear/patches/140-use_dev_urandom.patch (renamed from openwrt/package/dropbear/patches/use-dev-urandom.patch)0
-rw-r--r--openwrt/package/dropbear/patches/authpubkey.patch73
8 files changed, 96 insertions, 81 deletions
diff --git a/openwrt/package/dropbear/Config.in b/openwrt/package/dropbear/Config.in
index 0c4b2f452..54d7284ee 100644
--- a/openwrt/package/dropbear/Config.in
+++ b/openwrt/package/dropbear/Config.in
@@ -1,10 +1,9 @@
config BR2_PACKAGE_DROPBEAR
- prompt "dropbear.......................... Small SSH 2 client/server"
- tristate
+ tristate "dropbear - Small SSH 2 client/server"
default y
select BR2_PACKAGE_ZLIB
help
A small SSH 2 server/client designed for small memory environments.
http://matt.ucc.asn.au/dropbear/
-
+
diff --git a/openwrt/package/dropbear/Makefile b/openwrt/package/dropbear/Makefile
index e7144a60d..36548877d 100644
--- a/openwrt/package/dropbear/Makefile
+++ b/openwrt/package/dropbear/Makefile
@@ -3,9 +3,9 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=0.46
+PKG_VERSION:=0.47
PKG_RELEASE:=1
-PKG_MD5SUM:=f0e535a62b57e5bde9ecba4a11402178
+PKG_MD5SUM:=cf634614d52278d44dfd9c224a438bf2
PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
diff --git a/openwrt/package/dropbear/patches/100-pubkey_path.patch b/openwrt/package/dropbear/patches/100-pubkey_path.patch
new file mode 100644
index 000000000..4adda38b2
--- /dev/null
+++ b/openwrt/package/dropbear/patches/100-pubkey_path.patch
@@ -0,0 +1,89 @@
+diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c
+--- dropbear.old/svr-authpubkey.c 2005-12-09 06:42:33.000000000 +0100
++++ dropbear.dev/svr-authpubkey.c 2005-12-12 01:35:32.139358750 +0100
+@@ -155,7 +155,6 @@
+ unsigned char* keyblob, unsigned int keybloblen) {
+
+ FILE * authfile = NULL;
+- char * filename = NULL;
+ int ret = DROPBEAR_FAILURE;
+ buffer * line = NULL;
+ unsigned int len, pos;
+@@ -176,17 +175,8 @@
+ goto out;
+ }
+
+- /* we don't need to check pw and pw_dir for validity, since
+- * its been done in checkpubkeyperms. */
+- len = strlen(ses.authstate.pw->pw_dir);
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+- ses.authstate.pw->pw_dir);
+-
+ /* open the file */
+- authfile = fopen(filename, "r");
++ authfile = fopen("/etc/dropbear/authorized_keys", "r");
+ if (authfile == NULL) {
+ goto out;
+ }
+@@ -247,7 +237,6 @@
+ if (line) {
+ buf_free(line);
+ }
+- m_free(filename);
+ TRACE(("leave checkpubkey: ret=%d", ret))
+ return ret;
+ }
+@@ -255,12 +244,11 @@
+
+ /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
+ * DROPBEAR_FAILURE otherwise.
+- * Checks that the user's homedir, ~/.ssh, and
+- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
++ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys
++ * are all owned by either root or the user, and are
+ * g-w, o-w */
+ static int checkpubkeyperms() {
+
+- char* filename = NULL;
+ int ret = DROPBEAR_FAILURE;
+ unsigned int len;
+
+@@ -274,25 +262,11 @@
+ goto out;
+ }
+
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- strncpy(filename, ses.authstate.pw->pw_dir, len+1);
+-
+- /* check ~ */
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+- goto out;
+- }
+-
+- /* check ~/.ssh */
+- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+- /* now check ~/.ssh/authorized_keys */
+- strncat(filename, "/authorized_keys", 16);
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+@@ -300,7 +274,6 @@
+ ret = DROPBEAR_SUCCESS;
+
+ out:
+- m_free(filename);
+
+ TRACE(("leave checkpubkeyperms"))
+ return ret;
diff --git a/openwrt/package/dropbear/patches/change-user.patch b/openwrt/package/dropbear/patches/110-change_user.patch
index 5ab4a5689..ac617e280 100644
--- a/openwrt/package/dropbear/patches/change-user.patch
+++ b/openwrt/package/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
-diff -ruN dropbear-0.46-old/svr-chansession.c dropbear-0.46-new/svr-chansession.c
---- dropbear-0.46-old/svr-chansession.c 2005-07-08 21:20:59.000000000 +0200
-+++ dropbear-0.46-new/svr-chansession.c 2005-07-12 01:39:12.000000000 +0200
+diff -urN dropbear.old/svr-chansession.c dropbear.dev/svr-chansession.c
+--- dropbear.old/svr-chansession.c 2005-12-09 06:42:33.000000000 +0100
++++ dropbear.dev/svr-chansession.c 2005-12-12 01:42:38.982034750 +0100
@@ -860,12 +860,12 @@
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
diff --git a/openwrt/package/dropbear/patches/hostkey-prompt.patch b/openwrt/package/dropbear/patches/120-hostkey_prompt.patch
index 59639e7b9..59639e7b9 100644
--- a/openwrt/package/dropbear/patches/hostkey-prompt.patch
+++ b/openwrt/package/dropbear/patches/120-hostkey_prompt.patch
diff --git a/openwrt/package/dropbear/patches/scp-argument-fix.patch b/openwrt/package/dropbear/patches/130-scp_argument.patch
index befba5d39..befba5d39 100644
--- a/openwrt/package/dropbear/patches/scp-argument-fix.patch
+++ b/openwrt/package/dropbear/patches/130-scp_argument.patch
diff --git a/openwrt/package/dropbear/patches/use-dev-urandom.patch b/openwrt/package/dropbear/patches/140-use_dev_urandom.patch
index e1424f59a..e1424f59a 100644
--- a/openwrt/package/dropbear/patches/use-dev-urandom.patch
+++ b/openwrt/package/dropbear/patches/140-use_dev_urandom.patch
diff --git a/openwrt/package/dropbear/patches/authpubkey.patch b/openwrt/package/dropbear/patches/authpubkey.patch
deleted file mode 100644
index 07beefe71..000000000
--- a/openwrt/package/dropbear/patches/authpubkey.patch
+++ /dev/null
@@ -1,73 +0,0 @@
---- dropbear-0.45.old/svr-authpubkey.c 2005-09-27 12:45:20.863639072 +0200
-+++ dropbear-0.45/svr-authpubkey.c 2005-09-27 13:15:09.066790872 +0200
-@@ -176,14 +176,10 @@
- goto out;
- }
-
-- /* we don't need to check pw and pw_dir for validity, since
-- * its been done in checkpubkeyperms. */
-- len = strlen(ses.authstate.pw->pw_dir);
- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-- ses.authstate.pw->pw_dir);
-+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-
- /* open the file */
- authfile = fopen(filename, "r");
-@@ -255,43 +251,33 @@
-
- /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
- * DROPBEAR_FAILURE otherwise.
-- * Checks that the user's homedir, ~/.ssh, and
-- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
-+ * Checks that /etc, /etc/dropbear and /etc/dropbear/authorized_keys
-+ * are all owned by either root or the user, and are
- * g-w, o-w */
- static int checkpubkeyperms() {
-
- char* filename = NULL;
- int ret = DROPBEAR_FAILURE;
-- unsigned int len;
-
- TRACE(("enter checkpubkeyperms"))
-
-- assert(ses.authstate.pw);
-- if (ses.authstate.pw->pw_dir == NULL) {
-- goto out;
-- }
--
-- if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) {
-- goto out;
-- }
--
- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- strncpy(filename, ses.authstate.pw->pw_dir, len+1);
-+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc", 4); /* strlen("/etc") == 4 */
-
-- /* check ~ */
-+ /* check /etc */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-
-- /* check ~/.ssh */
-- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
-+ /* check /etc/dropbear */
-+ strncat(filename, "/dropbear", 9); /* strlen("/dropbear") == 9 */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-
-- /* now check ~/.ssh/authorized_keys */
-+ /* now check /etc/dropbear/authorized_keys */
- strncat(filename, "/authorized_keys", 16);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;