Author: cyrus Date: 2015-09-07 21:29:25 +0200 (Mon, 07 Sep 2015) New Revision: 46809
Added: trunk/package/network/services/dropbear/patches/600-allow-blank-root-password.patch trunk/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch Removed: trunk/package/utils/busybox/files/telnet Modified: trunk/package/base-files/files/bin/login.sh trunk/package/base-files/files/lib/preinit/99_10_failsafe_login trunk/package/network/services/dropbear/Makefile trunk/package/network/services/dropbear/patches/120-openwrt_options.patch trunk/package/utils/busybox/Config-defaults.in trunk/package/utils/busybox/Makefile Log: Disable telnet in favor of passwordless SSH This enables passworldless login for root via SSH whenever no root password is set (e.g. after reset, flashing without keeping config or in failsafe) and removes telnet support alltogether. Signed-off-by: Steven Barth <[email protected]> Modified: trunk/package/base-files/files/bin/login.sh =================================================================== --- trunk/package/base-files/files/bin/login.sh 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/base-files/files/bin/login.sh 2015-09-07 19:29:25 UTC (rev 46809) @@ -10,8 +10,7 @@ else cat << EOF === IMPORTANT ============================ - Use 'passwd' to set your login password - this will disable telnet and enable SSH + Use 'passwd' to set your login password! ------------------------------------------ EOF fi Modified: trunk/package/base-files/files/lib/preinit/99_10_failsafe_login =================================================================== --- trunk/package/base-files/files/lib/preinit/99_10_failsafe_login 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/base-files/files/lib/preinit/99_10_failsafe_login 2015-09-07 19:29:25 UTC (rev 46809) @@ -1,9 +1,10 @@ #!/bin/sh -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications failsafe_netlogin () { - telnetd -l /bin/login.sh <> /dev/null 2>&1 + dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 } failsafe_shell() { Modified: trunk/package/network/services/dropbear/Makefile =================================================================== --- trunk/package/network/services/dropbear/Makefile 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/network/services/dropbear/Makefile 2015-09-07 19:29:25 UTC (rev 46809) @@ -9,7 +9,7 @@ PKG_NAME:=dropbear PKG_VERSION:=2015.68 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ Modified: trunk/package/network/services/dropbear/patches/120-openwrt_options.patch =================================================================== --- trunk/package/network/services/dropbear/patches/120-openwrt_options.patch 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/network/services/dropbear/patches/120-openwrt_options.patch 2015-09-07 19:29:25 UTC (rev 46809) @@ -18,6 +18,17 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST +@@ -95,8 +95,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256*/ ++/*#define DROPBEAR_TWOFISH128*/ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ @@ -131,9 +131,9 @@ If you test it please contact the Dropbe * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ Added: trunk/package/network/services/dropbear/patches/600-allow-blank-root-password.patch =================================================================== --- trunk/package/network/services/dropbear/patches/600-allow-blank-root-password.patch (rev 0) +++ trunk/package/network/services/dropbear/patches/600-allow-blank-root-password.patch 2015-09-07 19:29:25 UTC (rev 46809) @@ -0,0 +1,11 @@ +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { + AUTH_METHOD_NONE_LEN) == 0) { + TRACE(("recv_msg_userauth_request: 'none' request")) + if (valid_user +- && svr_opts.allowblankpass ++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root")) + && !svr_opts.noauthpass + && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) + && ses.authstate.pw_passwd[0] == '\0') Added: trunk/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch =================================================================== --- trunk/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch (rev 0) +++ trunk/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch 2015-09-07 19:29:25 UTC (rev 46809) @@ -0,0 +1,18 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -475,6 +475,7 @@ void load_all_hostkeys() { + m_free(hostkey_file); + } + ++ if (svr_opts.num_hostkey_files <= 0) { + #ifdef DROPBEAR_RSA + loadhostkey(RSA_PRIV_FILENAME, 0); + #endif +@@ -486,6 +487,7 @@ void load_all_hostkeys() { + #ifdef DROPBEAR_ECDSA + loadhostkey(ECDSA_PRIV_FILENAME, 0); + #endif ++ } + + #ifdef DROPBEAR_DELAY_HOSTKEY + if (svr_opts.delay_hostkey) { Modified: trunk/package/utils/busybox/Config-defaults.in =================================================================== --- trunk/package/utils/busybox/Config-defaults.in 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/utils/busybox/Config-defaults.in 2015-09-07 19:29:25 UTC (rev 46809) @@ -2187,19 +2187,19 @@ default n config BUSYBOX_DEFAULT_TELNET bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN bool default n config BUSYBOX_DEFAULT_TELNETD bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT bool default n Modified: trunk/package/utils/busybox/Makefile =================================================================== --- trunk/package/utils/busybox/Makefile 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/utils/busybox/Makefile 2015-09-07 19:29:25 UTC (rev 46809) @@ -110,7 +110,6 @@ $(INSTALL_DIR) $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/* $(1)/ $(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron - $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug -rm -rf $(1)/lib64 Deleted: trunk/package/utils/busybox/files/telnet =================================================================== --- trunk/package/utils/busybox/files/telnet 2015-09-07 19:19:25 UTC (rev 46808) +++ trunk/package/utils/busybox/files/telnet 2015-09-07 19:29:25 UTC (rev 46809) @@ -1,38 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006-2011 OpenWrt.org - -START=50 - -USE_PROCD=1 -PROG=/usr/sbin/telnetd - -has_root_pwd() { - local pwd=$([ -f "$1" ] && cat "$1") - pwd="${pwd#*root:}" - pwd="${pwd%%:*}" - - test -n "${pwd#[\!x]}" -} - -get_root_home() { - local homedir=$([ -f "$1" ] && cat "$1") - homedir="${homedir#*:*:0:0:*:}" - - echo "${homedir%%:*}" -} - -has_ssh_pubkey() { - ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \ - ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys ) -} - -start_service() { - if ( ! has_ssh_pubkey && \ - ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \ - ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null ); - then - procd_open_instance - procd_set_param command "$PROG" -F -l /bin/login.sh - procd_close_instance - fi -} _______________________________________________ openwrt-commits mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-commits
