ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-04 02:57:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add ALLOW_NONE_PASSWORD_AUTH option

Browse Source 
--HG--
branch : insecure-nocrypto
This commit is contained in:
Matt Johnston 2012-05-17 08:33:11 +08:00
parent f2cd610750
commit a02d38072a
2 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cli-auth.c
View File

@ -257,10 +257,13 @@ void cli_auth_try() {
#endif #endif
#ifdef ENABLE_CLI_INTERACT_AUTH #ifdef ENABLE_CLI_INTERACT_AUTH
#if defined(DROPBEAR_NONE_CIPHER) && !defined(ALLOW_NONE_PASSWORD_AUTH)
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n");
} }
else if (!finished && ses.authstate.authtypes & AUTH_TYPE_INTERACT) { else
#endif
if (!finished && ses.authstate.authtypes & AUTH_TYPE_INTERACT) {
if (cli_ses.auth_interact_failed) { if (cli_ses.auth_interact_failed) {
finished = 0; finished = 0;
} else { } else {
@ -272,10 +275,13 @@ void cli_auth_try() {
#endif #endif
#ifdef ENABLE_CLI_PASSWORD_AUTH #ifdef ENABLE_CLI_PASSWORD_AUTH
#if defined(DROPBEAR_NONE_CIPHER) && !defined(ALLOW_NONE_PASSWORD_AUTH)
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
} }
else if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { else
#endif
if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
cli_auth_password(); cli_auth_password();
finished = 1; finished = 1;
cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;

12
options.h
View File

@ -103,15 +103,13 @@ much traffic. */
/* You can compile with no encryption if you want. In some circumstances /* You can compile with no encryption if you want. In some circumstances
* this could be safe security-wise, though make sure you know what * this could be safe security-wise, though make sure you know what
* you're doing. Anyone can see everything that goes over the wire, so * you're doing. Anyone can see everything that goes over the wire, so
* the only safe auth method is public key. You'll have to disable all other * the only safe auth method is public key. */
* ciphers above in the client if you want to use this, or implement cipher
* prioritisation in cli-runopts.
*
* The best way to do things is probably make normal compile of dropbear with
* all ciphers including "none" as the server, then recompile a special
* "dbclient-insecure" client. */
#define DROPBEAR_NONE_CIPHER #define DROPBEAR_NONE_CIPHER
/* Define this to allow password authentication even when no encryption
* is being used. This can be unsafe */
#define ALLOW_NONE_PASSWORD_AUTH
/* Message Integrity - at least one required. /* Message Integrity - at least one required.
* Protocol RFC requires sha1 and recommends sha1-96. * Protocol RFC requires sha1 and recommends sha1-96.
* sha1-96 is of use for slow links as it has a smaller overhead. * sha1-96 is of use for slow links as it has a smaller overhead.