1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
Date: Thu, 19 Aug 2021 17:37:14 +0200
Subject: [PATCH] added option to disable trivial auth methods (#128)
* added option to disable trivial auth methods
* rename argument to match with other ssh clients
* fixed trivial auth detection for pubkeys
[https://github.com/mkj/dropbear/pull/128]
Upstream-Status: Backport
CVE: CVE-2021-36369
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
cli-auth.c | 3 +++
cli-authinteract.c | 1 +
cli-authpasswd.c | 2 +-
cli-authpubkey.c | 1 +
cli-runopts.c | 7 +++++++
cli-session.c | 1 +
runopts.h | 1 +
session.h | 1 +
8 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/cli-auth.c b/cli-auth.c
index 2e509e5..6f04495 100644
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
TRACE(("received msg_userauth_success"))
+ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
+ dropbear_exit("trivial authentication not allowed");
+ }
/* Note: in delayed-zlib mode, setting authdone here
* will enable compression in the transport layer */
ses.authstate.authdone = 1;
diff --git a/cli-authinteract.c b/cli-authinteract.c
index e1cc9a1..f7128ee 100644
--- a/cli-authinteract.c
+++ b/cli-authinteract.c
@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
m_free(instruction);
for (i = 0; i < num_prompts; i++) {
+ cli_ses.is_trivial_auth = 0;
unsigned int response_len = 0;
prompt = buf_getstring(ses.payload, NULL);
cleantext(prompt);
diff --git a/cli-authpasswd.c b/cli-authpasswd.c
index 00fdd8b..a24d43e 100644
--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
@@ -155,7 +155,7 @@ void cli_auth_password() {
encrypt_packet();
m_burn(password, strlen(password));
-
+ cli_ses.is_trivial_auth = 0;
TRACE(("leave cli_auth_password"))
}
#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
diff --git a/cli-authpubkey.c b/cli-authpubkey.c
index 42c4e3f..fa01807 100644
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
buf_free(sigbuf); /* Nothing confidential in the buffer */
+ cli_ses.is_trivial_auth = 0;
}
encrypt_packet();
diff --git a/cli-runopts.c b/cli-runopts.c
index 3654b9a..255b47e 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
#if DROPBEAR_CLI_ANYTCPFWD
cli_opts.exit_on_fwd_failure = 0;
#endif
+ cli_opts.disable_trivial_auth = 0;
#if DROPBEAR_CLI_LOCALTCPFWD
cli_opts.localfwds = list_new();
opts.listen_fwd_all = 0;
@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
#if DROPBEAR_CLI_ANYTCPFWD
"\tExitOnForwardFailure\n"
#endif
+ "\tDisableTrivialAuth\n"
#ifndef DISABLE_SYSLOG
"\tUseSyslog\n"
#endif
@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
return;
}
+ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
+ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
+ return;
+ }
+
dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
}
diff --git a/cli-session.c b/cli-session.c
index 5e5af22..afb54a1 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
/* Auth */
cli_ses.lastprivkey = NULL;
cli_ses.lastauthtype = 0;
+ cli_ses.is_trivial_auth = 1;
/* For printing "remote host closed" for the user */
ses.remoteclosed = cli_remoteclosed;
diff --git a/runopts.h b/runopts.h
index 6a4a94c..01201d2 100644
--- a/runopts.h
+++ b/runopts.h
@@ -159,6 +159,7 @@ typedef struct cli_runopts {
#if DROPBEAR_CLI_ANYTCPFWD
int exit_on_fwd_failure;
#endif
+ int disable_trivial_auth;
#if DROPBEAR_CLI_REMOTETCPFWD
m_list * remotefwds;
#endif
diff --git a/session.h b/session.h
index fb5b8cb..6706592 100644
--- a/session.h
+++ b/session.h
@@ -316,6 +316,7 @@ struct clientsession {
int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
for the last type of auth we tried */
+ int is_trivial_auth;
int ignore_next_auth_response;
#if DROPBEAR_CLI_INTERACT_AUTH
int auth_interact_failed; /* flag whether interactive auth can still
|
