source: tt-tools/patchs/dropbear-0.50.patch @ 12

Last change on this file since 12 was 6, checked in by guillaume, 17 years ago

Publication tt-ttols v0.1
Des outils pour le TwinTact

File size: 9.7 KB
RevLine 
[6]1diff -Naurw dropbear-0.50/options.h dropbear-0.50-tt/options.h
2--- dropbear-0.50/options.h     2007-08-08 17:39:37.000000000 +0200
3+++ dropbear-0.50-tt/options.h  2008-02-26 19:05:02.000000000 +0100
4@@ -21,10 +21,25 @@
5 
6 /* Default hostkey paths - these can be specified on the command line */
7 #ifndef DSS_PRIV_FILENAME
8-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
9+#define DSS_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_dss_host_key"
10 #endif
11 #ifndef RSA_PRIV_FILENAME
12-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
13+#define RSA_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_rsa_host_key"
14+#endif
15+
16+#ifdef TWINTACT
17+/* Add few tweak for TwinTact device */
18+#ifndef AUTHORIZED_KEYS
19+#define AUTHORIZED_KEYS "/usr/share/config/dropbear/authorized_keys"
20+#endif
21+
22+#ifndef FORCED_SHELL
23+#define FORCED_SHELL "/usr/share/config/dropbear/shell"
24+#endif
25+
26+#ifndef FORCED_HOME
27+#define FORCED_HOME "/usr/share"
28+#endif
29 #endif
30 
31 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
32@@ -38,7 +53,7 @@
33  * Both of these flags can be defined at once, don't compile without at least
34  * one of them. */
35 #define NON_INETD_MODE
36-#define INETD_MODE
37+//#define INETD_MODE
38 
39 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
40  * perhaps 20% slower for pubkey operations (it is probably worth experimenting
41@@ -51,7 +66,7 @@
42 #define DROPBEAR_SMALL_CODE
43 
44 /* Enable X11 Forwarding - server only */
45-#define ENABLE_X11FWD
46+//#define ENABLE_X11FWD
47 
48 /* Enable TCP Fowarding */
49 /* 'Local' is "-L" style (client listening port forwarded via server)
50@@ -64,7 +79,7 @@
51 #define ENABLE_SVR_REMOTETCPFWD
52 
53 /* Enable Authentication Agent Forwarding - server only for now */
54-#define ENABLE_AGENTFWD
55+//#define ENABLE_AGENTFWD
56 
57 /* Encryption - at least one required.
58  * RFC Draft requires 3DES and recommends AES128 for interoperability.
59@@ -73,9 +88,9 @@
60 #define DROPBEAR_AES128_CBC
61 #define DROPBEAR_3DES_CBC
62 #define DROPBEAR_AES256_CBC
63-#define DROPBEAR_BLOWFISH_CBC
64-#define DROPBEAR_TWOFISH256_CBC
65-#define DROPBEAR_TWOFISH128_CBC
66+//#define DROPBEAR_BLOWFISH_CBC
67+//#define DROPBEAR_TWOFISH256_CBC
68+//#define DROPBEAR_TWOFISH128_CBC
69 
70 /* Message Integrity - at least one required.
71  * RFC Draft requires sha1 and recommends sha1-96.
72@@ -112,7 +127,7 @@
73 /* #define DSS_PROTOK */
74 
75 /* Whether to do reverse DNS lookups. */
76-#define DO_HOST_LOOKUP
77+//#define DO_HOST_LOOKUP
78 
79 /* Whether to print the message of the day (MOTD). This doesn't add much code
80  * size */
81@@ -120,7 +135,7 @@
82 
83 /* The MOTD file path */
84 #ifndef MOTD_FILENAME
85-#define MOTD_FILENAME "/etc/motd"
86+#define MOTD_FILENAME "/usr/share/config/dropbear/motd"
87 #endif
88 
89 /* Authentication Types - at least one required.
90@@ -174,13 +189,13 @@
91  * not yet authenticated. After this limit, connections are rejected */
92 /* The first setting is per-IP, to avoid denial of service */
93 #ifndef MAX_UNAUTH_PER_IP
94-#define MAX_UNAUTH_PER_IP 5
95+#define MAX_UNAUTH_PER_IP 2
96 #endif
97 
98 /* And then a global limit to avoid chewing memory if connections
99  * come from many IPs */
100 #ifndef MAX_UNAUTH_CLIENTS
101-#define MAX_UNAUTH_CLIENTS 30
102+#define MAX_UNAUTH_CLIENTS 10
103 #endif
104 
105 /* Maximum number of failed authentication tries (server option) */
106@@ -204,17 +219,17 @@
107  * OpenSSH), set the path below. If the path isn't defined, sftp will not
108  * be enabled */
109 #ifndef SFTPSERVER_PATH
110-#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
111+#define SFTPSERVER_PATH "/usr/share/bin/sftp-server"
112 #endif
113 
114 /* This is used by the scp binary when used as a client binary. If you're
115  * not using the Dropbear client, you'll need to change it */
116-#define _PATH_SSH_PROGRAM "/usr/bin/dbclient"
117+#define _PATH_SSH_PROGRAM "/usr/share/bin/dbclient"
118 
119 /* Whether to log commands executed by a client. This only logs the
120  * (single) command sent to the server, not what a user did in a
121  * shell/sftp session etc. */
122-/* #define LOG_COMMANDS */
123+#define LOG_COMMANDS
124 
125 /* Window size limits. These tend to be a trade-off between memory
126    usage and network performance: */
127@@ -233,14 +248,14 @@
128 
129 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
130 be overridden at runtime with -K. 0 disables keepalives */
131-#define DEFAULT_KEEPALIVE 0
132+#define DEFAULT_KEEPALIVE 30
133 
134 /*******************************************************************
135  * You shouldn't edit below here unless you know you need to.
136  *******************************************************************/
137 
138 #ifndef DROPBEAR_VERSION
139-#define DROPBEAR_VERSION "0.50"
140+#define DROPBEAR_VERSION "0.50-TwinTact"
141 #endif
142 
143 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
144diff -Naurw dropbear-0.50/svr-auth.c dropbear-0.50-tt/svr-auth.c
145--- dropbear-0.50/svr-auth.c    2007-08-08 17:39:37.000000000 +0200
146+++ dropbear-0.50-tt/svr-auth.c 2008-02-26 15:34:36.000000000 +0100
147@@ -215,6 +215,11 @@
148                        m_free(ses.authstate.printableuser);
149        }
150 
151+#ifdef FORCED_SHELL
152+    TRACE(("Forcing shell to %s", FORCED_SHELL))
153+    ses.authstate.pw->pw_shell = FORCED_SHELL ;
154+#endif
155+
156        /* check that user exists */
157        if (ses.authstate.pw == NULL) {
158                TRACE(("leave checkusername: user '%s' doesn't exist", username))
159@@ -236,6 +241,8 @@
160                return DROPBEAR_FAILURE;
161        }
162 
163+/* Skip password check on twintact */
164+#ifndef TWINTACT
165        /* check for an empty password */
166        if (ses.authstate.pw->pw_passwd[0] == '\0') {
167                TRACE(("leave checkusername: empty pword"))
168@@ -244,6 +251,7 @@
169                send_msg_userauth_failure(0, 1);
170                return DROPBEAR_FAILURE;
171        }
172+#endif
173 
174        TRACE(("shell is %s", ses.authstate.pw->pw_shell))
175 
176@@ -254,6 +262,11 @@
177                usershell = "/bin/sh";
178        }
179 
180+#ifdef FORCED_SHELL
181+    // Skip checking the shell... just trust it
182+    goto goodshell;
183+#endif
184+
185        /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
186         * should return some standard shells like "/bin/sh" and "/bin/csh" (this
187         * is platform-specific) */
188diff -Naurw dropbear-0.50/svr-authpasswd.c dropbear-0.50-tt/svr-authpasswd.c
189--- dropbear-0.50/svr-authpasswd.c      2007-08-08 17:39:37.000000000 +0200
190+++ dropbear-0.50-tt/svr-authpasswd.c   2008-02-26 15:50:08.000000000 +0100
191@@ -60,6 +60,7 @@
192        passwdcrypt = DEBUG_HACKCRYPT;
193 #endif
194 
195+#ifndef TWINTACT
196        /* check for empty password - need to do this again here
197         * since the shadow password may differ to that tested
198         * in auth.c */
199@@ -69,6 +70,7 @@
200                send_msg_userauth_failure(0, 1);
201                return;
202        }
203+#endif
204 
205        /* check if client wants to change password */
206        changepw = buf_getbool(ses.payload);
207diff -Naurw dropbear-0.50/svr-authpubkey.c dropbear-0.50-tt/svr-authpubkey.c
208--- dropbear-0.50/svr-authpubkey.c      2007-08-08 17:39:37.000000000 +0200
209+++ dropbear-0.50-tt/svr-authpubkey.c   2008-02-26 16:49:39.000000000 +0100
210@@ -176,6 +176,9 @@
211                goto out;
212        }
213 
214+#ifdef AUTHORIZED_KEYS
215+    filename = (char *) AUTHORIZED_KEYS ;
216+#else
217        /* we don't need to check pw and pw_dir for validity, since
218         * its been done in checkpubkeyperms. */
219        len = strlen(ses.authstate.pw->pw_dir);
220@@ -184,6 +187,7 @@
221        filename = m_malloc(len + 22);
222        snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
223                                ses.authstate.pw->pw_dir);
224+#endif
225 
226        /* open the file */
227        authfile = fopen(filename, "r");
228@@ -247,7 +251,9 @@
229        if (line) {
230                buf_free(line);
231        }
232+#ifndef AUTHORIZED_KEYS
233        m_free(filename);
234+#endif
235        TRACE(("leave checkpubkey: ret=%d", ret))
236        return ret;
237 }
238@@ -274,6 +280,9 @@
239                goto out;
240        }
241 
242+#ifdef AUTHORIZED_KEYS
243+    filename = (char *) AUTHORIZED_KEYS ;
244+#else
245        /* allocate max required pathname storage,
246         * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
247        filename = m_malloc(len + 22);
248@@ -292,6 +301,7 @@
249 
250        /* now check ~/.ssh/authorized_keys */
251        strncat(filename, "/authorized_keys", 16);
252+#endif
253        if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
254                goto out;
255        }
256@@ -300,7 +310,9 @@
257        ret = DROPBEAR_SUCCESS;
258       
259 out:
260+#ifndef AUTHORIZED_KEYS
261        m_free(filename);
262+#endif
263 
264        TRACE(("leave checkpubkeyperms"))
265        return ret;
266diff -Naurw dropbear-0.50/svr-chansession.c dropbear-0.50-tt/svr-chansession.c
267--- dropbear-0.50/svr-chansession.c     2007-08-08 17:39:37.000000000 +0200
268+++ dropbear-0.50-tt/svr-chansession.c  2008-02-26 17:00:02.000000000 +0100
269@@ -929,17 +929,25 @@
270                }
271        }
272 
273+#ifdef FORCED_SHELL
274+    usershell = FORCED_SHELL ;
275+#else
276        /* an empty shell should be interpreted as "/bin/sh" */
277        if (ses.authstate.pw->pw_shell[0] == '\0') {
278                usershell = "/bin/sh";
279        } else {
280                usershell = ses.authstate.pw->pw_shell;
281        }
282+#endif
283 
284        /* set env vars */
285        addnewvar("USER", ses.authstate.pw->pw_name);
286        addnewvar("LOGNAME", ses.authstate.pw->pw_name);
287+#ifdef FORCED_HOME
288+    addnewvar("HOME", FORCED_HOME );
289+#else
290        addnewvar("HOME", ses.authstate.pw->pw_dir);
291+#endif
292        addnewvar("SHELL", usershell);
293        if (chansess->term != NULL) {
294                addnewvar("TERM", chansess->term);
295diff -Naurw dropbear-0.50/svr-runopts.c dropbear-0.50-tt/svr-runopts.c
296--- dropbear-0.50/svr-runopts.c 2007-08-08 17:39:37.000000000 +0200
297+++ dropbear-0.50-tt/svr-runopts.c      2008-02-26 19:08:27.000000000 +0100
298@@ -61,7 +61,11 @@
299 #endif
300                                        "-w             Disallow root logins\n"
301 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
302+#ifdef TWINTACT
303+                                       "-s             Enable password logins\n"
304+#else
305                                        "-s             Disable password logins\n"
306+#endif
307                                        "-g             Disable password logins for root\n"
308 #endif
309 #ifdef ENABLE_SVR_LOCALTCPFWD
310@@ -111,7 +115,11 @@
311        svr_opts.banner = NULL;
312        svr_opts.forkbg = 1;
313        svr_opts.norootlogin = 0;
314+#ifdef TWINTACT
315+       svr_opts.noauthpass = 1;
316+#else
317        svr_opts.noauthpass = 0;
318+#endif
319        svr_opts.norootpass = 0;
320        svr_opts.inetdmode = 0;
321        svr_opts.portcount = 0;
322@@ -220,7 +228,11 @@
323                                        break;
324 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
325                                case 's':
326+#ifdef TWINTACT
327+                                       svr_opts.noauthpass = 0;
328+#else
329                                        svr_opts.noauthpass = 1;
330+#endif
331                                        break;
332                                case 'g':
333                                        svr_opts.norootpass = 1;
Note: See TracBrowser for help on using the repository browser.