source: tt-tools/patchs/dropbear-0.50.patch @ 16

Revision 6, 9.7 KB checked in by guillaume, 9 years ago (diff)

Publication tt-ttols v0.1
Des outils pour le TwinTact

  • dropbear-0.

    diff -Naurw dropbear-0.50/options.h dropbear-0.50-tt/options.h
    old new  
    2121 
    2222/* Default hostkey paths - these can be specified on the command line */ 
    2323#ifndef DSS_PRIV_FILENAME 
    24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" 
     24#define DSS_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_dss_host_key" 
    2525#endif 
    2626#ifndef RSA_PRIV_FILENAME 
    27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" 
     27#define RSA_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_rsa_host_key" 
     28#endif 
     29 
     30#ifdef TWINTACT 
     31/* Add few tweak for TwinTact device */ 
     32#ifndef AUTHORIZED_KEYS 
     33#define AUTHORIZED_KEYS "/usr/share/config/dropbear/authorized_keys" 
     34#endif 
     35 
     36#ifndef FORCED_SHELL 
     37#define FORCED_SHELL "/usr/share/config/dropbear/shell" 
     38#endif 
     39 
     40#ifndef FORCED_HOME 
     41#define FORCED_HOME "/usr/share" 
     42#endif 
    2843#endif 
    2944 
    3045/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens 
     
    3853 * Both of these flags can be defined at once, don't compile without at least 
    3954 * one of them. */ 
    4055#define NON_INETD_MODE 
    41 #define INETD_MODE 
     56//#define INETD_MODE 
    4257 
    4358/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 
    4459 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 
     
    5166#define DROPBEAR_SMALL_CODE 
    5267 
    5368/* Enable X11 Forwarding - server only */ 
    54 #define ENABLE_X11FWD 
     69//#define ENABLE_X11FWD 
    5570 
    5671/* Enable TCP Fowarding */ 
    5772/* 'Local' is "-L" style (client listening port forwarded via server) 
     
    6479#define ENABLE_SVR_REMOTETCPFWD 
    6580 
    6681/* Enable Authentication Agent Forwarding - server only for now */ 
    67 #define ENABLE_AGENTFWD 
     82//#define ENABLE_AGENTFWD 
    6883 
    6984/* Encryption - at least one required. 
    7085 * RFC Draft requires 3DES and recommends AES128 for interoperability. 
     
    7388#define DROPBEAR_AES128_CBC 
    7489#define DROPBEAR_3DES_CBC 
    7590#define DROPBEAR_AES256_CBC 
    76 #define DROPBEAR_BLOWFISH_CBC 
    77 #define DROPBEAR_TWOFISH256_CBC 
    78 #define DROPBEAR_TWOFISH128_CBC 
     91//#define DROPBEAR_BLOWFISH_CBC 
     92//#define DROPBEAR_TWOFISH256_CBC 
     93//#define DROPBEAR_TWOFISH128_CBC 
    7994 
    8095/* Message Integrity - at least one required. 
    8196 * RFC Draft requires sha1 and recommends sha1-96. 
     
    112127/* #define DSS_PROTOK */ 
    113128 
    114129/* Whether to do reverse DNS lookups. */ 
    115 #define DO_HOST_LOOKUP 
     130//#define DO_HOST_LOOKUP 
    116131 
    117132/* Whether to print the message of the day (MOTD). This doesn't add much code 
    118133 * size */ 
     
    120135 
    121136/* The MOTD file path */ 
    122137#ifndef MOTD_FILENAME 
    123 #define MOTD_FILENAME "/etc/motd" 
     138#define MOTD_FILENAME "/usr/share/config/dropbear/motd" 
    124139#endif 
    125140 
    126141/* Authentication Types - at least one required. 
     
    174189 * not yet authenticated. After this limit, connections are rejected */ 
    175190/* The first setting is per-IP, to avoid denial of service */ 
    176191#ifndef MAX_UNAUTH_PER_IP 
    177 #define MAX_UNAUTH_PER_IP 5 
     192#define MAX_UNAUTH_PER_IP 2 
    178193#endif 
    179194 
    180195/* And then a global limit to avoid chewing memory if connections  
    181196 * come from many IPs */ 
    182197#ifndef MAX_UNAUTH_CLIENTS 
    183 #define MAX_UNAUTH_CLIENTS 30 
     198#define MAX_UNAUTH_CLIENTS 10 
    184199#endif 
    185200 
    186201/* Maximum number of failed authentication tries (server option) */ 
     
    204219 * OpenSSH), set the path below. If the path isn't defined, sftp will not 
    205220 * be enabled */ 
    206221#ifndef SFTPSERVER_PATH 
    207 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" 
     222#define SFTPSERVER_PATH "/usr/share/bin/sftp-server" 
    208223#endif 
    209224 
    210225/* This is used by the scp binary when used as a client binary. If you're 
    211226 * not using the Dropbear client, you'll need to change it */ 
    212 #define _PATH_SSH_PROGRAM "/usr/bin/dbclient" 
     227#define _PATH_SSH_PROGRAM "/usr/share/bin/dbclient" 
    213228 
    214229/* Whether to log commands executed by a client. This only logs the  
    215230 * (single) command sent to the server, not what a user did in a  
    216231 * shell/sftp session etc. */ 
    217 /* #define LOG_COMMANDS */ 
     232#define LOG_COMMANDS 
    218233 
    219234/* Window size limits. These tend to be a trade-off between memory 
    220235   usage and network performance: */ 
     
    233248 
    234249/* Ensure that data is transmitted every KEEPALIVE seconds. This can 
    235250be overridden at runtime with -K. 0 disables keepalives */ 
    236 #define DEFAULT_KEEPALIVE 0 
     251#define DEFAULT_KEEPALIVE 30 
    237252 
    238253/******************************************************************* 
    239254 * You shouldn't edit below here unless you know you need to. 
    240255 *******************************************************************/ 
    241256 
    242257#ifndef DROPBEAR_VERSION 
    243 #define DROPBEAR_VERSION "0.50" 
     258#define DROPBEAR_VERSION "0.50-TwinTact" 
    244259#endif 
    245260 
    246261#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION 
  • svr-auth.c

    diff -Naurw dropbear-0.50/svr-auth.c dropbear-0.50-tt/svr-auth.c
    old new  
    215215                        m_free(ses.authstate.printableuser); 
    216216        } 
    217217 
     218#ifdef FORCED_SHELL 
     219    TRACE(("Forcing shell to %s", FORCED_SHELL)) 
     220    ses.authstate.pw->pw_shell = FORCED_SHELL ; 
     221#endif 
     222 
    218223        /* check that user exists */ 
    219224        if (ses.authstate.pw == NULL) { 
    220225                TRACE(("leave checkusername: user '%s' doesn't exist", username)) 
     
    236241                return DROPBEAR_FAILURE; 
    237242        } 
    238243 
     244/* Skip password check on twintact */ 
     245#ifndef TWINTACT 
    239246        /* check for an empty password */ 
    240247        if (ses.authstate.pw->pw_passwd[0] == '\0') { 
    241248                TRACE(("leave checkusername: empty pword")) 
     
    244251                send_msg_userauth_failure(0, 1); 
    245252                return DROPBEAR_FAILURE; 
    246253        } 
     254#endif 
    247255 
    248256        TRACE(("shell is %s", ses.authstate.pw->pw_shell)) 
    249257 
     
    254262                usershell = "/bin/sh"; 
    255263        } 
    256264 
     265#ifdef FORCED_SHELL 
     266    // Skip checking the shell... just trust it 
     267    goto goodshell; 
     268#endif 
     269 
    257270        /* check the shell is valid. If /etc/shells doesn't exist, getusershell() 
    258271         * should return some standard shells like "/bin/sh" and "/bin/csh" (this 
    259272         * is platform-specific) */ 
  • svr-authpasswd.c

    diff -Naurw dropbear-0.50/svr-authpasswd.c dropbear-0.50-tt/svr-authpasswd.c
    old new  
    6060        passwdcrypt = DEBUG_HACKCRYPT; 
    6161#endif 
    6262 
     63#ifndef TWINTACT 
    6364        /* check for empty password - need to do this again here 
    6465         * since the shadow password may differ to that tested 
    6566         * in auth.c */ 
     
    6970                send_msg_userauth_failure(0, 1); 
    7071                return; 
    7172        } 
     73#endif 
    7274 
    7375        /* check if client wants to change password */ 
    7476        changepw = buf_getbool(ses.payload); 
  • svr-authpubkey.c

    diff -Naurw dropbear-0.50/svr-authpubkey.c dropbear-0.50-tt/svr-authpubkey.c
    old new  
    176176                goto out; 
    177177        } 
    178178 
     179#ifdef AUTHORIZED_KEYS 
     180    filename = (char *) AUTHORIZED_KEYS ; 
     181#else 
    179182        /* we don't need to check pw and pw_dir for validity, since 
    180183         * its been done in checkpubkeyperms. */ 
    181184        len = strlen(ses.authstate.pw->pw_dir); 
     
    184187        filename = m_malloc(len + 22); 
    185188        snprintf(filename, len + 22, "%s/.ssh/authorized_keys",  
    186189                                ses.authstate.pw->pw_dir); 
     190#endif 
    187191 
    188192        /* open the file */ 
    189193        authfile = fopen(filename, "r"); 
     
    247251        if (line) { 
    248252                buf_free(line); 
    249253        } 
     254#ifndef AUTHORIZED_KEYS 
    250255        m_free(filename); 
     256#endif 
    251257        TRACE(("leave checkpubkey: ret=%d", ret)) 
    252258        return ret; 
    253259} 
     
    274280                goto out; 
    275281        } 
    276282 
     283#ifdef AUTHORIZED_KEYS 
     284    filename = (char *) AUTHORIZED_KEYS ; 
     285#else 
    277286        /* allocate max required pathname storage, 
    278287         * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ 
    279288        filename = m_malloc(len + 22); 
     
    292301 
    293302        /* now check ~/.ssh/authorized_keys */ 
    294303        strncat(filename, "/authorized_keys", 16); 
     304#endif 
    295305        if (checkfileperm(filename) != DROPBEAR_SUCCESS) { 
    296306                goto out; 
    297307        } 
     
    300310        ret = DROPBEAR_SUCCESS; 
    301311         
    302312out: 
     313#ifndef AUTHORIZED_KEYS 
    303314        m_free(filename); 
     315#endif 
    304316 
    305317        TRACE(("leave checkpubkeyperms")) 
    306318        return ret; 
  • svr-chansession.c

    diff -Naurw dropbear-0.50/svr-chansession.c dropbear-0.50-tt/svr-chansession.c
    old new  
    929929                } 
    930930        } 
    931931 
     932#ifdef FORCED_SHELL 
     933    usershell = FORCED_SHELL ; 
     934#else 
    932935        /* an empty shell should be interpreted as "/bin/sh" */ 
    933936        if (ses.authstate.pw->pw_shell[0] == '\0') { 
    934937                usershell = "/bin/sh"; 
    935938        } else { 
    936939                usershell = ses.authstate.pw->pw_shell; 
    937940        } 
     941#endif 
    938942 
    939943        /* set env vars */ 
    940944        addnewvar("USER", ses.authstate.pw->pw_name); 
    941945        addnewvar("LOGNAME", ses.authstate.pw->pw_name); 
     946#ifdef FORCED_HOME 
     947    addnewvar("HOME", FORCED_HOME ); 
     948#else 
    942949        addnewvar("HOME", ses.authstate.pw->pw_dir); 
     950#endif 
    943951        addnewvar("SHELL", usershell); 
    944952        if (chansess->term != NULL) { 
    945953                addnewvar("TERM", chansess->term); 
  • svr-runopts.c

    diff -Naurw dropbear-0.50/svr-runopts.c dropbear-0.50-tt/svr-runopts.c
    old new  
    6161#endif 
    6262                                        "-w             Disallow root logins\n" 
    6363#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) 
     64#ifdef TWINTACT 
     65                                        "-s             Enable password logins\n" 
     66#else 
    6467                                        "-s             Disable password logins\n" 
     68#endif 
    6569                                        "-g             Disable password logins for root\n" 
    6670#endif 
    6771#ifdef ENABLE_SVR_LOCALTCPFWD 
     
    111115        svr_opts.banner = NULL; 
    112116        svr_opts.forkbg = 1; 
    113117        svr_opts.norootlogin = 0; 
     118#ifdef TWINTACT 
     119        svr_opts.noauthpass = 1; 
     120#else 
    114121        svr_opts.noauthpass = 0; 
     122#endif 
    115123        svr_opts.norootpass = 0; 
    116124        svr_opts.inetdmode = 0; 
    117125        svr_opts.portcount = 0; 
     
    220228                                        break; 
    221229#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) 
    222230                                case 's': 
     231#ifdef TWINTACT 
     232                                        svr_opts.noauthpass = 0; 
     233#else 
    223234                                        svr_opts.noauthpass = 1; 
     235#endif 
    224236                                        break; 
    225237                                case 'g': 
    226238                                        svr_opts.norootpass = 1; 
Note: See TracBrowser for help on using the repository browser.