source: tt-tools/patchs/dropbear-0.50.patch @ 9

dropbear-0.

@@ -21 +21 @@
 
 /* Default hostkey paths - these can be specified on the command line */
 #ifndef DSS_PRIV_FILENAME
-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
+#define DSS_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_dss_host_key"
 #endif
 #ifndef RSA_PRIV_FILENAME
-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
+#define RSA_PRIV_FILENAME "/usr/share/config/dropbear/dropbear_rsa_host_key"
+#endif
+
+#ifdef TWINTACT
+/* Add few tweak for TwinTact device */
+#ifndef AUTHORIZED_KEYS
+#define AUTHORIZED_KEYS "/usr/share/config/dropbear/authorized_keys"
+#endif
+
+#ifndef FORCED_SHELL
+#define FORCED_SHELL "/usr/share/config/dropbear/shell"
+#endif
+
+#ifndef FORCED_HOME
+#define FORCED_HOME "/usr/share"
+#endif
 #endif
 
 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
@@ -38 +53 @@
  * Both of these flags can be defined at once, don't compile without at least
  * one of them. */
 #define NON_INETD_MODE
-#define INETD_MODE
+//#define INETD_MODE
 
 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
  * perhaps 20% slower for pubkey operations (it is probably worth experimenting
@@ -51 +66 @@
 #define DROPBEAR_SMALL_CODE
 
 /* Enable X11 Forwarding - server only */
-#define ENABLE_X11FWD
+//#define ENABLE_X11FWD
 
 /* Enable TCP Fowarding */
 /* 'Local' is "-L" style (client listening port forwarded via server)
@@ -64 +79 @@
 #define ENABLE_SVR_REMOTETCPFWD
 
 /* Enable Authentication Agent Forwarding - server only for now */
-#define ENABLE_AGENTFWD
+//#define ENABLE_AGENTFWD
 
 /* Encryption - at least one required.
  * RFC Draft requires 3DES and recommends AES128 for interoperability.
@@ -73 +88 @@
 #define DROPBEAR_AES128_CBC
 #define DROPBEAR_3DES_CBC
 #define DROPBEAR_AES256_CBC
-#define DROPBEAR_BLOWFISH_CBC
-#define DROPBEAR_TWOFISH256_CBC
-#define DROPBEAR_TWOFISH128_CBC
+//#define DROPBEAR_BLOWFISH_CBC
+//#define DROPBEAR_TWOFISH256_CBC
+//#define DROPBEAR_TWOFISH128_CBC
 
 /* Message Integrity - at least one required.
  * RFC Draft requires sha1 and recommends sha1-96.
@@ -112 +127 @@
 /* #define DSS_PROTOK */
 
 /* Whether to do reverse DNS lookups. */
-#define DO_HOST_LOOKUP
+//#define DO_HOST_LOOKUP
 
 /* Whether to print the message of the day (MOTD). This doesn't add much code
  * size */
@@ -120 +135 @@
 
 /* The MOTD file path */
 #ifndef MOTD_FILENAME
-#define MOTD_FILENAME "/etc/motd"
+#define MOTD_FILENAME "/usr/share/config/dropbear/motd"
 #endif
 
 /* Authentication Types - at least one required.
@@ -174 +189 @@
  * not yet authenticated. After this limit, connections are rejected */
 /* The first setting is per-IP, to avoid denial of service */
 #ifndef MAX_UNAUTH_PER_IP
-#define MAX_UNAUTH_PER_IP 5
+#define MAX_UNAUTH_PER_IP 2
 #endif
 
 /* And then a global limit to avoid chewing memory if connections 
  * come from many IPs */
 #ifndef MAX_UNAUTH_CLIENTS
-#define MAX_UNAUTH_CLIENTS 30
+#define MAX_UNAUTH_CLIENTS 10
 #endif
 
 /* Maximum number of failed authentication tries (server option) */
@@ -204 +219 @@
  * OpenSSH), set the path below. If the path isn't defined, sftp will not
  * be enabled */
 #ifndef SFTPSERVER_PATH
-#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
+#define SFTPSERVER_PATH "/usr/share/bin/sftp-server"
 #endif
 
 /* This is used by the scp binary when used as a client binary. If you're
  * not using the Dropbear client, you'll need to change it */
-#define _PATH_SSH_PROGRAM "/usr/bin/dbclient"
+#define _PATH_SSH_PROGRAM "/usr/share/bin/dbclient"
 
 /* Whether to log commands executed by a client. This only logs the 
  * (single) command sent to the server, not what a user did in a 
  * shell/sftp session etc. */
-/* #define LOG_COMMANDS */
+#define LOG_COMMANDS
 
 /* Window size limits. These tend to be a trade-off between memory
    usage and network performance: */
@@ -233 +248 @@
 
 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
 be overridden at runtime with -K. 0 disables keepalives */
-#define DEFAULT_KEEPALIVE 0
+#define DEFAULT_KEEPALIVE 30
 
 /*******************************************************************
  * You shouldn't edit below here unless you know you need to.
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.50"
+#define DROPBEAR_VERSION "0.50-TwinTact"
 #endif
 
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION

svr-auth.c

@@ -215 +215 @@
                         m_free(ses.authstate.printableuser);
         }
 
+#ifdef FORCED_SHELL
+    TRACE(("Forcing shell to %s", FORCED_SHELL))
+    ses.authstate.pw->pw_shell = FORCED_SHELL ;
+#endif
+
         /* check that user exists */
         if (ses.authstate.pw == NULL) {
                 TRACE(("leave checkusername: user '%s' doesn't exist", username))
@@ -236 +241 @@
                 return DROPBEAR_FAILURE;
         }
 
+/* Skip password check on twintact */
+#ifndef TWINTACT
         /* check for an empty password */
         if (ses.authstate.pw->pw_passwd[0] == '\0') {
                 TRACE(("leave checkusername: empty pword"))
@@ -244 +251 @@
                 send_msg_userauth_failure(0, 1);
                 return DROPBEAR_FAILURE;
         }
+#endif
 
         TRACE(("shell is %s", ses.authstate.pw->pw_shell))
 
@@ -254 +262 @@
                 usershell = "/bin/sh";
         }
 
+#ifdef FORCED_SHELL
+    // Skip checking the shell... just trust it
+    goto goodshell;
+#endif
+
         /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
          * should return some standard shells like "/bin/sh" and "/bin/csh" (this
          * is platform-specific) */

svr-authpasswd.c

@@ -60 +60 @@
         passwdcrypt = DEBUG_HACKCRYPT;
 #endif
 
+#ifndef TWINTACT
         /* check for empty password - need to do this again here
          * since the shadow password may differ to that tested
          * in auth.c */
@@ -69 +70 @@
                 send_msg_userauth_failure(0, 1);
                 return;
         }
+#endif
 
         /* check if client wants to change password */
         changepw = buf_getbool(ses.payload);

svr-authpubkey.c

@@ -176 +176 @@
                 goto out;
         }
 
+#ifdef AUTHORIZED_KEYS
+    filename = (char *) AUTHORIZED_KEYS ;
+#else
         /* we don't need to check pw and pw_dir for validity, since
          * its been done in checkpubkeyperms. */
         len = strlen(ses.authstate.pw->pw_dir);
@@ -184 +187 @@
         filename = m_malloc(len + 22);
         snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
                                 ses.authstate.pw->pw_dir);
+#endif
 
         /* open the file */
         authfile = fopen(filename, "r");
@@ -247 +251 @@
         if (line) {
                 buf_free(line);
         }
+#ifndef AUTHORIZED_KEYS
         m_free(filename);
+#endif
         TRACE(("leave checkpubkey: ret=%d", ret))
         return ret;
 }
@@ -274 +280 @@
                 goto out;
         }
 
+#ifdef AUTHORIZED_KEYS
+    filename = (char *) AUTHORIZED_KEYS ;
+#else
         /* allocate max required pathname storage,
          * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
         filename = m_malloc(len + 22);
@@ -292 +301 @@
 
         /* now check ~/.ssh/authorized_keys */
         strncat(filename, "/authorized_keys", 16);
+#endif
         if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
                 goto out;
         }
@@ -300 +310 @@
         ret = DROPBEAR_SUCCESS;
         
 out:
+#ifndef AUTHORIZED_KEYS
         m_free(filename);
+#endif
 
         TRACE(("leave checkpubkeyperms"))
         return ret;

svr-chansession.c

@@ -929 +929 @@
                 }
         }
 
+#ifdef FORCED_SHELL
+    usershell = FORCED_SHELL ;
+#else
         /* an empty shell should be interpreted as "/bin/sh" */
         if (ses.authstate.pw->pw_shell[0] == '\0') {
                 usershell = "/bin/sh";
         } else {
                 usershell = ses.authstate.pw->pw_shell;
         }
+#endif
 
         /* set env vars */
         addnewvar("USER", ses.authstate.pw->pw_name);
         addnewvar("LOGNAME", ses.authstate.pw->pw_name);
+#ifdef FORCED_HOME
+    addnewvar("HOME", FORCED_HOME );
+#else
         addnewvar("HOME", ses.authstate.pw->pw_dir);
+#endif
         addnewvar("SHELL", usershell);
         if (chansess->term != NULL) {
                 addnewvar("TERM", chansess->term);

svr-runopts.c

@@ -61 +61 @@
 #endif
                                         "-w             Disallow root logins\n"
 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
+#ifdef TWINTACT
+                                        "-s             Enable password logins\n"
+#else
                                         "-s             Disable password logins\n"
+#endif
                                         "-g             Disable password logins for root\n"
 #endif
 #ifdef ENABLE_SVR_LOCALTCPFWD
@@ -111 +115 @@
         svr_opts.banner = NULL;
         svr_opts.forkbg = 1;
         svr_opts.norootlogin = 0;
+#ifdef TWINTACT
+        svr_opts.noauthpass = 1;
+#else
         svr_opts.noauthpass = 0;
+#endif
         svr_opts.norootpass = 0;
         svr_opts.inetdmode = 0;
         svr_opts.portcount = 0;
@@ -220 +228 @@
                                         break;
 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
                                 case 's':
+#ifdef TWINTACT
+                                        svr_opts.noauthpass = 0;
+#else
                                         svr_opts.noauthpass = 1;
+#endif
                                         break;
                                 case 'g':
                                         svr_opts.norootpass = 1;