ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-04-10 07:25:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

added option to disable trivial auth methods (#128)

Browse Source 
* added option to disable trivial auth methods

* rename argument to match with other ssh clients

* fixed trivial auth detection for pubkeys
This commit is contained in:
Manfred Kaiser 2021-08-19 17:37:14 +02:00 committed by GitHub
parent 69e5709f75
commit 210a983349
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cli-auth.c
View File

@ -261,6 +261,9 @@ void recv_msg_userauth_success() {
if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
TRACE(("received msg_userauth_success")) TRACE(("received msg_userauth_success"))
if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
dropbear_exit("trivial authentication not allowed");
}
/* Note: in delayed-zlib mode, setting authdone here /* Note: in delayed-zlib mode, setting authdone here
* will enable compression in the transport layer */ * will enable compression in the transport layer */
ses.authstate.authdone = 1; ses.authstate.authdone = 1;

1
cli-authinteract.c
View File

@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
m_free(instruction); m_free(instruction);
for (i = 0; i < num_prompts; i++) { for (i = 0; i < num_prompts; i++) {
cli_ses.is_trivial_auth = 0;
unsigned int response_len = 0; unsigned int response_len = 0;
prompt = buf_getstring(ses.payload, NULL); prompt = buf_getstring(ses.payload, NULL);
cleantext(prompt); cleantext(prompt);

2
cli-authpasswd.c
View File

@ -155,7 +155,7 @@ void cli_auth_password() {
encrypt_packet(); encrypt_packet();
m_burn(password, strlen(password)); m_burn(password, strlen(password));
cli_ses.is_trivial_auth = 0;
TRACE(("leave cli_auth_password")) TRACE(("leave cli_auth_password"))
} }
#endif /* DROPBEAR_CLI_PASSWORD_AUTH */ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */

1
cli-authpubkey.c
View File

@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
buf_free(sigbuf); /* Nothing confidential in the buffer */ buf_free(sigbuf); /* Nothing confidential in the buffer */
cli_ses.is_trivial_auth = 0;
} }
encrypt_packet(); encrypt_packet();

7
cli-runopts.c
View File

@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
#if DROPBEAR_CLI_ANYTCPFWD #if DROPBEAR_CLI_ANYTCPFWD
cli_opts.exit_on_fwd_failure = 0; cli_opts.exit_on_fwd_failure = 0;
#endif #endif
cli_opts.disable_trivial_auth = 0;
#if DROPBEAR_CLI_LOCALTCPFWD #if DROPBEAR_CLI_LOCALTCPFWD
cli_opts.localfwds = list_new(); cli_opts.localfwds = list_new();
opts.listen_fwd_all = 0; opts.listen_fwd_all = 0;
@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
#if DROPBEAR_CLI_ANYTCPFWD #if DROPBEAR_CLI_ANYTCPFWD
"\tExitOnForwardFailure\n" "\tExitOnForwardFailure\n"
#endif #endif
"\tDisableTrivialAuth\n"
#ifndef DISABLE_SYSLOG #ifndef DISABLE_SYSLOG
"\tUseSyslog\n" "\tUseSyslog\n"
#endif #endif
@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
return; return;
} }
if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
cli_opts.disable_trivial_auth = parse_flag_value(optstr);
return;
}
dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
} }

1
cli-session.c
View File

@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
/* Auth */ /* Auth */
cli_ses.lastprivkey = NULL; cli_ses.lastprivkey = NULL;
cli_ses.lastauthtype = 0; cli_ses.lastauthtype = 0;
cli_ses.is_trivial_auth = 1;
/* For printing "remote host closed" for the user */ /* For printing "remote host closed" for the user */
ses.remoteclosed = cli_remoteclosed; ses.remoteclosed = cli_remoteclosed;

1
runopts.h
View File

@ -161,6 +161,7 @@ typedef struct cli_runopts {
#if DROPBEAR_CLI_ANYTCPFWD #if DROPBEAR_CLI_ANYTCPFWD
int exit_on_fwd_failure; int exit_on_fwd_failure;
#endif #endif
int disable_trivial_auth;
#if DROPBEAR_CLI_REMOTETCPFWD #if DROPBEAR_CLI_REMOTETCPFWD
m_list * remotefwds; m_list * remotefwds;
#endif #endif

1
session.h
View File

@ -316,6 +316,7 @@ struct clientsession {
int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
for the last type of auth we tried */ for the last type of auth we tried */
int is_trivial_auth;
int ignore_next_auth_response; int ignore_next_auth_response;
#if DROPBEAR_CLI_INTERACT_AUTH #if DROPBEAR_CLI_INTERACT_AUTH
int auth_interact_failed; /* flag whether interactive auth can still int auth_interact_failed; /* flag whether interactive auth can still