diff options
Diffstat (limited to 'meta/packages/dropbear/dropbear')
6 files changed, 268 insertions, 0 deletions
diff --git a/meta/packages/dropbear/dropbear/allow-nopw.patch b/meta/packages/dropbear/dropbear/allow-nopw.patch new file mode 100644 index 0000000000..1a709b8da0 --- /dev/null +++ b/meta/packages/dropbear/dropbear/allow-nopw.patch @@ -0,0 +1,37 @@ +diff -Nurd dropbear-0.45/svr-auth.c dropbear-0.45.patched/svr-auth.c +--- dropbear-0.45/svr-auth.c 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/svr-auth.c 2005-03-08 15:22:43.998592744 -0800 +@@ -237,6 +237,7 @@ + } + + /* check for an empty password */ ++#ifdef DISALLOW_EMPTY_PW + if (ses.authstate.pw->pw_passwd[0] == '\0') { + TRACE(("leave checkusername: empty pword")) + dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected", +@@ -244,7 +245,7 @@ + send_msg_userauth_failure(0, 1); + return DROPBEAR_FAILURE; + } +- ++#endif + TRACE(("shell is %s", ses.authstate.pw->pw_shell)) + + /* check that the shell is set */ +diff -Nurd dropbear-0.45/svr-authpasswd.c dropbear-0.45.patched/svr-authpasswd.c +--- dropbear-0.45/svr-authpasswd.c 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/svr-authpasswd.c 2005-03-08 15:22:44.010591023 -0800 +@@ -64,9 +64,13 @@ + * since the shadow password may differ to that tested + * in auth.c */ + if (passwdcrypt[0] == '\0') { ++#ifdef DISALLOW_EMPTY_PASSWD + dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected", + ses.authstate.printableuser); + send_msg_userauth_failure(0, 1); ++#else ++ send_msg_userauth_success(); ++#endif + return; + } + diff --git a/meta/packages/dropbear/dropbear/chansession-security-fix.patch b/meta/packages/dropbear/dropbear/chansession-security-fix.patch new file mode 100644 index 0000000000..bc4c461fee --- /dev/null +++ b/meta/packages/dropbear/dropbear/chansession-security-fix.patch @@ -0,0 +1,74 @@ +Date: Sun, 11 Dec 2005 23:30:02 +0800 +From: Matt Johnston <matt@ucc.asn.au> +To: dropbear@ucc.gu.uwa.edu.au +Subject: Dropbear 0.47 (and security fix) +Message-ID: <20051211153002.GH28839@ucc.gu.uwa.edu.au> + +Hi all. + +I've put up a new release 0.47 of Dropbear, which has +various fixes and new features - see the change summary +below. +http://matt.ucc.asn.au/dropbear/dropbear.html is the +url as usual or directly at +http://matt.ucc.asn.au/dropbear/dropbear-0.47.tar.bz2 + +This release also fixes a potential security issue, which +may allow authenticated users to run arbitrary code as the +server user. I'm unsure exactly how likely it is to be +exploitable, but anyone who's running a multi-user server is +advised to upgrade. For older releases, the patch is: +(against chanesssion.c for 0.43 and earlier). + +--- dropbear/svr-chansession.c ++++ dropbear/svr-chansession.c +@@ -810,7 +810,7 @@ + /* need to increase size */ + if (i == svr_ses.childpidsize) { + svr_ses.childpids = (struct ChildPid*)m_realloc(svr_ses.childpids, +- sizeof(struct ChildPid) * svr_ses.childpidsize+1); ++ sizeof(struct ChildPid) * (svr_ses.childpidsize+1)); + svr_ses.childpidsize++; + } + + +Matt + + +0.47 - Thurs Dec 8 2005 + +- SECURITY: fix for buffer allocation error in server code, could potentially + allow authenticated users to gain elevated privileges. All multi-user systems + running the server should upgrade (or apply the patch available on the + Dropbear webpage). + +- Fix channel handling code so that redirecting to /dev/null doesn't use + 100% CPU. + +- Turn on zlib compression for dbclient. + +- Set "low delay" TOS bit, can significantly improve interactivity + over some links. + +- Added client keyboard-interactive mode support, allows operation with + newer OpenSSH servers in default config. + +- Log when pubkey auth fails because of bad ~/.ssh/authorized_keys permissions + +- Improve logging of assertions + +- Added aes-256 cipher and sha1-96 hmac. + +- Fix twofish so that it actually works. + +- Improve PAM prompt comparison. + +- Added -g (dbclient) and -a (dropbear server) options to allow + connections to listening forwarded ports from remote machines. + +- Various other minor fixes + +- Compile fixes for glibc 2.1 (ss_family vs __ss_family) and NetBSD + (netinet/in_systm.h needs to be included). + + diff --git a/meta/packages/dropbear/dropbear/configure.patch b/meta/packages/dropbear/dropbear/configure.patch new file mode 100644 index 0000000000..9ae84b2604 --- /dev/null +++ b/meta/packages/dropbear/dropbear/configure.patch @@ -0,0 +1,27 @@ +diff -Nurd dropbear-0.45/configure.in dropbear-0.45.patched/configure.in +--- dropbear-0.45/configure.in 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/configure.in 2005-03-08 15:22:44.040586721 -0800 +@@ -161,15 +161,20 @@ + AC_MSG_RESULT(Not using openpty) + else + AC_MSG_RESULT(Using openpty if available) +- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)]) ++ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) + fi + ], + [ + AC_MSG_RESULT(Using openpty if available) +- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)]) ++ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) + ] + ) +- ++ ++if test "x$dropbear_cv_func_have_openpty" = "xyes"; then ++ AC_DEFINE(HAVE_OPENPTY,,Have openpty() function) ++ no_ptc_check=yes ++ no_ptmx_check=yes ++fi + + AC_ARG_ENABLE(syslog, + [ --disable-syslog Don't include syslog support], diff --git a/meta/packages/dropbear/dropbear/fix-2kb-keys.patch b/meta/packages/dropbear/dropbear/fix-2kb-keys.patch new file mode 100644 index 0000000000..ba2b19d44a --- /dev/null +++ b/meta/packages/dropbear/dropbear/fix-2kb-keys.patch @@ -0,0 +1,11 @@ +diff -Nurd dropbear-0.45/kex.h dropbear-0.45.patched/kex.h +--- dropbear-0.45/kex.h 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/kex.h 2005-03-08 15:22:44.064583279 -0800 +@@ -64,6 +64,6 @@ + + }; + +-#define MAX_KEXHASHBUF 2000 ++#define MAX_KEXHASHBUF 3000 + + #endif /* _KEX_H_ */ diff --git a/meta/packages/dropbear/dropbear/init b/meta/packages/dropbear/dropbear/init new file mode 100755 index 0000000000..d019bdb4ba --- /dev/null +++ b/meta/packages/dropbear/dropbear/init @@ -0,0 +1,98 @@ +#!/bin/sh +# +# Do not configure this file. Edit /etc/default/dropbear instead! +# + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/dropbear +NAME=dropbear +DESC="Dropbear SSH server" + +DROPBEAR_PORT=22 +DROPBEAR_EXTRA_ARGS= +NO_START=0 + +set -e + +test ! -r /etc/default/dropbear || . /etc/default/dropbear +test "$NO_START" = "0" || exit 0 +test -x "$DAEMON" || exit 0 +test ! -h /var/service/dropbear || exit 0 + +readonly_rootfs=0 +for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do + case $flag in + ro) + readonly_rootfs=1 + ;; + esac +done + +if [ $readonly_rootfs = "1" ]; then + mkdir -p /var/lib/dropbear + DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key" + DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key" +else + DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key" + DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key" +fi + +test -z "$DROPBEAR_BANNER" || \ + DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER" +test -n "$DROPBEAR_RSAKEY" || \ + DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT +test -n "$DROPBEAR_DSSKEY" || \ + DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT +test -n "$DROPBEAR_KEYTYPES" || \ + DROPBEAR_KEYTYPES="rsa" + +gen_keys() { +for t in $DROPBEAR_KEYTYPES; do + case $t in + rsa) + test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY + ;; + dsa) + test -f $DROPBEAR_DSSKEY || dropbearkey -t dss -f $DROPBEAR_DSSKEY + ;; + esac +done +} + +case "$1" in + start) + echo -n "Starting $DESC: " + gen_keys + KEY_ARGS="" + test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY" + test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY" + start-stop-daemon -S \ + -x "$DAEMON" -- $KEY_ARGS \ + -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + start-stop-daemon -K -x "$DAEMON" + echo "$NAME." + ;; + restart|force-reload) + echo -n "Restarting $DESC: " + start-stop-daemon -K -x "$DAEMON" + sleep 1 + KEY_ARGS="" + test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY" + test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY" + start-stop-daemon -S \ + -x "$DAEMON" -- $KEY_ARGS \ + -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch b/meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch new file mode 100644 index 0000000000..e2b1dd5da5 --- /dev/null +++ b/meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch @@ -0,0 +1,21 @@ +diff -Nurd dropbear-0.45/options.h dropbear-0.45.patched/options.h +--- dropbear-0.45/options.h 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/options.h 2005-03-08 15:25:09.368742090 -0800 +@@ -143,7 +143,7 @@ + * however significantly reduce the security of your ssh connections + * if the PRNG state becomes guessable - make sure you know what you are + * doing if you change this. */ +-#define DROPBEAR_RANDOM_DEV "/dev/random" ++#define DROPBEAR_RANDOM_DEV "/dev/urandom" + + /* prngd must be manually set up to produce output */ + /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ +@@ -167,7 +167,7 @@ + /* The command to invoke for xauth when using X11 forwarding. + * "-q" for quiet */ + #ifndef XAUTH_COMMAND +-#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" ++#define XAUTH_COMMAND "xauth -q" + #endif + + /* if you want to enable running an sftp server (such as the one included with |