source: tt-tools/patchs/dropbear-0.50.patch

Last change on this file was 6, checked in by guillaume, 10 years ago

Publication tt-ttols v0.1
Des outils pour le TwinTact

File size: 9.7 KB
  • dropbear-0.

    diff -Naurw dropbear-0.50/options.h dropbear-0.50-tt/options.h
    old new  
    2121
    2222/* Default hostkey paths - these can be specified on the command line */
    2323#ifndef DSS_PRIV_FILENAME
    24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
     24#define DSS_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_dss_host_key"
    2525#endif
    2626#ifndef RSA_PRIV_FILENAME
    27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
     27#define RSA_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_rsa_host_key"
     28#endif
     29
     30#ifdef TWINTACT
     31/* Add few tweak for TwinTact device */
     32#ifndef AUTHORIZED_KEYS
     33#define AUTHORIZED_KEYS "/usr/share/config/dropbear/authorized_keys"
     34#endif
     35
     36#ifndef FORCED_SHELL
     37#define FORCED_SHELL "/usr/share/config/dropbear/shell"
     38#endif
     39
     40#ifndef FORCED_HOME
     41#define FORCED_HOME "/usr/share"
     42#endif
    2843#endif
    2944
    3045/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
     
    3853 * Both of these flags can be defined at once, don't compile without at least
    3954 * one of them. */
    4055#define NON_INETD_MODE
    41 #define INETD_MODE
     56//#define INETD_MODE
    4257
    4358/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
    4459 * perhaps 20% slower for pubkey operations (it is probably worth experimenting
     
    5166#define DROPBEAR_SMALL_CODE
    5267
    5368/* Enable X11 Forwarding - server only */
    54 #define ENABLE_X11FWD
     69//#define ENABLE_X11FWD
    5570
    5671/* Enable TCP Fowarding */
    5772/* 'Local' is "-L" style (client listening port forwarded via server)
     
    6479#define ENABLE_SVR_REMOTETCPFWD
    6580
    6681/* Enable Authentication Agent Forwarding - server only for now */
    67 #define ENABLE_AGENTFWD
     82//#define ENABLE_AGENTFWD
    6883
    6984/* Encryption - at least one required.
    7085 * RFC Draft requires 3DES and recommends AES128 for interoperability.
     
    7388#define DROPBEAR_AES128_CBC
    7489#define DROPBEAR_3DES_CBC
    7590#define DROPBEAR_AES256_CBC
    76 #define DROPBEAR_BLOWFISH_CBC
    77 #define DROPBEAR_TWOFISH256_CBC
    78 #define DROPBEAR_TWOFISH128_CBC
     91//#define DROPBEAR_BLOWFISH_CBC
     92//#define DROPBEAR_TWOFISH256_CBC
     93//#define DROPBEAR_TWOFISH128_CBC
    7994
    8095/* Message Integrity - at least one required.
    8196 * RFC Draft requires sha1 and recommends sha1-96.
     
    112127/* #define DSS_PROTOK */
    113128
    114129/* Whether to do reverse DNS lookups. */
    115 #define DO_HOST_LOOKUP
     130//#define DO_HOST_LOOKUP
    116131
    117132/* Whether to print the message of the day (MOTD). This doesn't add much code
    118133 * size */
     
    120135
    121136/* The MOTD file path */
    122137#ifndef MOTD_FILENAME
    123 #define MOTD_FILENAME "/etc/motd"
     138#define MOTD_FILENAME "/usr/share/config/dropbear/motd"
    124139#endif
    125140
    126141/* Authentication Types - at least one required.
     
    174189 * not yet authenticated. After this limit, connections are rejected */
    175190/* The first setting is per-IP, to avoid denial of service */
    176191#ifndef MAX_UNAUTH_PER_IP
    177 #define MAX_UNAUTH_PER_IP 5
     192#define MAX_UNAUTH_PER_IP 2
    178193#endif
    179194
    180195/* And then a global limit to avoid chewing memory if connections
    181196 * come from many IPs */
    182197#ifndef MAX_UNAUTH_CLIENTS
    183 #define MAX_UNAUTH_CLIENTS 30
     198#define MAX_UNAUTH_CLIENTS 10
    184199#endif
    185200
    186201/* Maximum number of failed authentication tries (server option) */
     
    204219 * OpenSSH), set the path below. If the path isn't defined, sftp will not
    205220 * be enabled */
    206221#ifndef SFTPSERVER_PATH
    207 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
     222#define SFTPSERVER_PATH "/usr/share/bin/sftp-server"
    208223#endif
    209224
    210225/* This is used by the scp binary when used as a client binary. If you're
    211226 * not using the Dropbear client, you'll need to change it */
    212 #define _PATH_SSH_PROGRAM "/usr/bin/dbclient"
     227#define _PATH_SSH_PROGRAM "/usr/share/bin/dbclient"
    213228
    214229/* Whether to log commands executed by a client. This only logs the
    215230 * (single) command sent to the server, not what a user did in a
    216231 * shell/sftp session etc. */
    217 /* #define LOG_COMMANDS */
     232#define LOG_COMMANDS
    218233
    219234/* Window size limits. These tend to be a trade-off between memory
    220235   usage and network performance: */
     
    233248
    234249/* Ensure that data is transmitted every KEEPALIVE seconds. This can
    235250be overridden at runtime with -K. 0 disables keepalives */
    236 #define DEFAULT_KEEPALIVE 0
     251#define DEFAULT_KEEPALIVE 30
    237252
    238253/*******************************************************************
    239254 * You shouldn't edit below here unless you know you need to.
    240255 *******************************************************************/
    241256
    242257#ifndef DROPBEAR_VERSION
    243 #define DROPBEAR_VERSION "0.50"
     258#define DROPBEAR_VERSION "0.50-TwinTact"
    244259#endif
    245260
    246261#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
  • svr-auth.c

    diff -Naurw dropbear-0.50/svr-auth.c dropbear-0.50-tt/svr-auth.c
    old new  
    215215                        m_free(ses.authstate.printableuser);
    216216        }
    217217
     218#ifdef FORCED_SHELL
     219    TRACE(("Forcing shell to %s", FORCED_SHELL))
     220    ses.authstate.pw->pw_shell = FORCED_SHELL ;
     221#endif
     222
    218223        /* check that user exists */
    219224        if (ses.authstate.pw == NULL) {
    220225                TRACE(("leave checkusername: user '%s' doesn't exist", username))
     
    236241                return DROPBEAR_FAILURE;
    237242        }
    238243
     244/* Skip password check on twintact */
     245#ifndef TWINTACT
    239246        /* check for an empty password */
    240247        if (ses.authstate.pw->pw_passwd[0] == '\0') {
    241248                TRACE(("leave checkusername: empty pword"))
     
    244251                send_msg_userauth_failure(0, 1);
    245252                return DROPBEAR_FAILURE;
    246253        }
     254#endif
    247255
    248256        TRACE(("shell is %s", ses.authstate.pw->pw_shell))
    249257
     
    254262                usershell = "/bin/sh";
    255263        }
    256264
     265#ifdef FORCED_SHELL
     266    // Skip checking the shell... just trust it
     267    goto goodshell;
     268#endif
     269
    257270        /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
    258271         * should return some standard shells like "/bin/sh" and "/bin/csh" (this
    259272         * is platform-specific) */
  • svr-authpasswd.c

    diff -Naurw dropbear-0.50/svr-authpasswd.c dropbear-0.50-tt/svr-authpasswd.c
    old new  
    6060        passwdcrypt = DEBUG_HACKCRYPT;
    6161#endif
    6262
     63#ifndef TWINTACT
    6364        /* check for empty password - need to do this again here
    6465         * since the shadow password may differ to that tested
    6566         * in auth.c */
     
    6970                send_msg_userauth_failure(0, 1);
    7071                return;
    7172        }
     73#endif
    7274
    7375        /* check if client wants to change password */
    7476        changepw = buf_getbool(ses.payload);
  • svr-authpubkey.c

    diff -Naurw dropbear-0.50/svr-authpubkey.c dropbear-0.50-tt/svr-authpubkey.c
    old new  
    176176                goto out;
    177177        }
    178178
     179#ifdef AUTHORIZED_KEYS
     180    filename = (char *) AUTHORIZED_KEYS ;
     181#else
    179182        /* we don't need to check pw and pw_dir for validity, since
    180183         * its been done in checkpubkeyperms. */
    181184        len = strlen(ses.authstate.pw->pw_dir);
     
    184187        filename = m_malloc(len + 22);
    185188        snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
    186189                                ses.authstate.pw->pw_dir);
     190#endif
    187191
    188192        /* open the file */
    189193        authfile = fopen(filename, "r");
     
    247251        if (line) {
    248252                buf_free(line);
    249253        }
     254#ifndef AUTHORIZED_KEYS
    250255        m_free(filename);
     256#endif
    251257        TRACE(("leave checkpubkey: ret=%d", ret))
    252258        return ret;
    253259}
     
    274280                goto out;
    275281        }
    276282
     283#ifdef AUTHORIZED_KEYS
     284    filename = (char *) AUTHORIZED_KEYS ;
     285#else
    277286        /* allocate max required pathname storage,
    278287         * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
    279288        filename = m_malloc(len + 22);
     
    292301
    293302        /* now check ~/.ssh/authorized_keys */
    294303        strncat(filename, "/authorized_keys", 16);
     304#endif
    295305        if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
    296306                goto out;
    297307        }
     
    300310        ret = DROPBEAR_SUCCESS;
    301311       
    302312out:
     313#ifndef AUTHORIZED_KEYS
    303314        m_free(filename);
     315#endif
    304316
    305317        TRACE(("leave checkpubkeyperms"))
    306318        return ret;
  • svr-chansession.c

    diff -Naurw dropbear-0.50/svr-chansession.c dropbear-0.50-tt/svr-chansession.c
    old new  
    929929                }
    930930        }
    931931
     932#ifdef FORCED_SHELL
     933    usershell = FORCED_SHELL ;
     934#else
    932935        /* an empty shell should be interpreted as "/bin/sh" */
    933936        if (ses.authstate.pw->pw_shell[0] == '\0') {
    934937                usershell = "/bin/sh";
    935938        } else {
    936939                usershell = ses.authstate.pw->pw_shell;
    937940        }
     941#endif
    938942
    939943        /* set env vars */
    940944        addnewvar("USER", ses.authstate.pw->pw_name);
    941945        addnewvar("LOGNAME", ses.authstate.pw->pw_name);
     946#ifdef FORCED_HOME
     947    addnewvar("HOME", FORCED_HOME );
     948#else
    942949        addnewvar("HOME", ses.authstate.pw->pw_dir);
     950#endif
    943951        addnewvar("SHELL", usershell);
    944952        if (chansess->term != NULL) {
    945953                addnewvar("TERM", chansess->term);
  • svr-runopts.c

    diff -Naurw dropbear-0.50/svr-runopts.c dropbear-0.50-tt/svr-runopts.c
    old new  
    6161#endif
    6262                                        "-w             Disallow root logins\n"
    6363#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
     64#ifdef TWINTACT
     65                                        "-s             Enable password logins\n"
     66#else
    6467                                        "-s             Disable password logins\n"
     68#endif
    6569                                        "-g             Disable password logins for root\n"
    6670#endif
    6771#ifdef ENABLE_SVR_LOCALTCPFWD
     
    111115        svr_opts.banner = NULL;
    112116        svr_opts.forkbg = 1;
    113117        svr_opts.norootlogin = 0;
     118#ifdef TWINTACT
     119        svr_opts.noauthpass = 1;
     120#else
    114121        svr_opts.noauthpass = 0;
     122#endif
    115123        svr_opts.norootpass = 0;
    116124        svr_opts.inetdmode = 0;
    117125        svr_opts.portcount = 0;
     
    220228                                        break;
    221229#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
    222230                                case 's':
     231#ifdef TWINTACT
     232                                        svr_opts.noauthpass = 0;
     233#else
    223234                                        svr_opts.noauthpass = 1;
     235#endif
    224236                                        break;
    225237                                case 'g':
    226238                                        svr_opts.norootpass = 1;
Note: See TracBrowser for help on using the repository browser.