update dropbear to 0.47 (adds keyboard-interactive auth, fixes a potential security issue, fixes #59)

SVN-Revision: 2660
19 years ago · b9a3554f4a
parent 6db7170690
commit b9a3554f4a
8 changed files with 96 additions and 81 deletions
--- a/openwrt/package/dropbear/Config.in
+++ b/openwrt/package/dropbear/Config.in
@ -1,10 +1,9 @@
 config BR2_PACKAGE_DROPBEAR
-	prompt "dropbear.......................... Small SSH 2 client/server"
-	tristate
+	tristate "dropbear - Small SSH 2 client/server"
 	default y
 	select BR2_PACKAGE_ZLIB
 	help
 	  A small SSH 2 server/client designed for small memory environments.
 	  
 	  http://matt.ucc.asn.au/dropbear/
-
+	  
--- a/openwrt/package/dropbear/Makefile
+++ b/openwrt/package/dropbear/Makefile
@ -3,9 +3,9 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dropbear
-PKG_VERSION:=0.46
+PKG_VERSION:=0.47
 PKG_RELEASE:=1
-PKG_MD5SUM:=f0e535a62b57e5bde9ecba4a11402178
+PKG_MD5SUM:=cf634614d52278d44dfd9c224a438bf2

 PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
--- a/openwrt/package/dropbear/patches/100-pubkey_path.patch
+++ b/openwrt/package/dropbear/patches/100-pubkey_path.patch
@ -0,0 +1,89 @@
+diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c
+--- dropbear.old/svr-authpubkey.c	2005-12-09 06:42:33.000000000 +0100
+++ dropbear.dev/svr-authpubkey.c	2005-12-12 01:35:32.139358750 +0100
+@@ -155,7 +155,6 @@
+ 		unsigned char* keyblob, unsigned int keybloblen) {
+ 
+ 	FILE * authfile = NULL;
+-	char * filename = NULL;
+ 	int ret = DROPBEAR_FAILURE;
+ 	buffer * line = NULL;
+ 	unsigned int len, pos;
+@@ -176,17 +175,8 @@
+ 		goto out;
+ 	}
+ 
+-	/* we don't need to check pw and pw_dir for validity, since
+-	 * its been done in checkpubkeyperms. */
+-	len = strlen(ses.authstate.pw->pw_dir);
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	filename = m_malloc(len + 22);
+-	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
+-				ses.authstate.pw->pw_dir);
+-
+ 	/* open the file */
+-	authfile = fopen(filename, "r");
+	authfile = fopen("/etc/dropbear/authorized_keys", "r");
+ 	if (authfile == NULL) {
+ 		goto out;
+ 	}
+@@ -247,7 +237,6 @@
+ 	if (line) {
+ 		buf_free(line);
+ 	}
+-	m_free(filename);
+ 	TRACE(("leave checkpubkey: ret=%d", ret))
+ 	return ret;
+ }
+@@ -255,12 +244,11 @@
+ 
+ /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
+  * DROPBEAR_FAILURE otherwise.
+- * Checks that the user's homedir, ~/.ssh, and
+- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
+ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys
+ * are all owned by either root or the user, and are
+  * g-w, o-w */
+ static int checkpubkeyperms() {
+ 
+-	char* filename = NULL; 
+ 	int ret = DROPBEAR_FAILURE;
+ 	unsigned int len;
+ 
+@@ -274,25 +262,11 @@
+ 		goto out;
+ 	}
+ 
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	filename = m_malloc(len + 22);
+-	strncpy(filename, ses.authstate.pw->pw_dir, len+1);
+-
+-	/* check ~ */
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
+-
+-	/* check ~/.ssh */
+-	strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+	if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
+ 		goto out;
+ 	}
+ 
+-	/* now check ~/.ssh/authorized_keys */
+-	strncat(filename, "/authorized_keys", 16);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+	if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
+ 		goto out;
+ 	}
+ 
+@@ -300,7 +274,6 @@
+ 	ret = DROPBEAR_SUCCESS;
+ 	
+ out:
+-	m_free(filename);
+ 
+ 	TRACE(("leave checkpubkeyperms"))
+ 	return ret;
--- a/openwrt/package/dropbear/patches/110-change_user.patch
+++ b/openwrt/package/dropbear/patches/110-change_user.patch
@ -1,6 +1,6 @@
-diff -ruN dropbear-0.46-old/svr-chansession.c dropbear-0.46-new/svr-chansession.c
--- dropbear-0.46-old/svr-chansession.c	2005-07-08 21:20:59.000000000 +0200
-+++ dropbear-0.46-new/svr-chansession.c	2005-07-12 01:39:12.000000000 +0200
+diff -urN dropbear.old/svr-chansession.c dropbear.dev/svr-chansession.c
+--- dropbear.old/svr-chansession.c	2005-12-09 06:42:33.000000000 +0100
+++ dropbear.dev/svr-chansession.c	2005-12-12 01:42:38.982034750 +0100
@@ -860,12 +860,12 @@
 	/* We can only change uid/gid as root ... */
 	if (getuid() == 0) {
--- a/openwrt/package/dropbear/patches/120-hostkey_prompt.patch
+++ b/openwrt/package/dropbear/patches/120-hostkey_prompt.patch
--- a/openwrt/package/dropbear/patches/130-scp_argument.patch
+++ b/openwrt/package/dropbear/patches/130-scp_argument.patch
--- a/openwrt/package/dropbear/patches/140-use_dev_urandom.patch
+++ b/openwrt/package/dropbear/patches/140-use_dev_urandom.patch
--- a/openwrt/package/dropbear/patches/authpubkey.patch
+++ b/openwrt/package/dropbear/patches/authpubkey.patch
@ -1,73 +0,0 @@
--- dropbear-0.45.old/svr-authpubkey.c	2005-09-27 12:45:20.863639072 +0200
-+++ dropbear-0.45/svr-authpubkey.c	2005-09-27 13:15:09.066790872 +0200
-@@ -176,14 +176,10 @@
- 		goto out;
- 	}
- 
-	/* we don't need to check pw and pw_dir for validity, since
-	 * its been done in checkpubkeyperms. */
-	len = strlen(ses.authstate.pw->pw_dir);
- 	/* allocate max required pathname storage,
-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-	filename = m_malloc(len + 22);
-	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
-				ses.authstate.pw->pw_dir);
-+	 * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+	filename = m_malloc(30);
-+	strncpy(filename, "/etc/dropbear/authorized_keys", 30);
- 
- 	/* open the file */
- 	authfile = fopen(filename, "r");
-@@ -255,43 +251,33 @@
- 
- /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
-  * DROPBEAR_FAILURE otherwise.
- * Checks that the user's homedir, ~/.ssh, and
- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
-+ * Checks that /etc, /etc/dropbear and /etc/dropbear/authorized_keys
-+ * are all owned by either root or the user, and are
-  * g-w, o-w */
- static int checkpubkeyperms() {
- 
- 	char* filename = NULL; 
- 	int ret = DROPBEAR_FAILURE;
-	unsigned int len;
- 
- 	TRACE(("enter checkpubkeyperms"))
- 
-	assert(ses.authstate.pw);
-	if (ses.authstate.pw->pw_dir == NULL) {
-		goto out;
-	}
-
-	if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) {
-		goto out;
-	}
-
- 	/* allocate max required pathname storage,
-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-	filename = m_malloc(len + 22);
-	strncpy(filename, ses.authstate.pw->pw_dir, len+1);
-+	 * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+	filename = m_malloc(30);
-+	strncpy(filename, "/etc", 4); /* strlen("/etc") == 4 */
- 
-	/* check ~ */
-+	/* check /etc */
- 	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- 		goto out;
- 	}
- 
-	/* check ~/.ssh */
-	strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
-+	/* check /etc/dropbear */
-+	strncat(filename, "/dropbear", 9); /* strlen("/dropbear") == 9 */
- 	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- 		goto out;
- 	}
- 
-	/* now check ~/.ssh/authorized_keys */
-+	/* now check /etc/dropbear/authorized_keys */
- 	strncat(filename, "/authorized_keys", 16);
- 	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- 		goto out;