mirror of
https://github.com/clearml/dropbear
synced 2025-04-09 23:24:18 +00:00
Merge
This commit is contained in:
Matt Johnston
commit
f3b72bfd18
@ -261,6 +261,9 @@ void recv_msg_userauth_success() {
|
||||
if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
|
||||
|
||||
TRACE(("received msg_userauth_success"))
|
||||
if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
|
||||
dropbear_exit("trivial authentication not allowed");
|
||||
}
|
||||
/* Note: in delayed-zlib mode, setting authdone here
|
||||
* will enable compression in the transport layer */
|
||||
ses.authstate.authdone = 1;
|
||||
|
||||
@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
|
||||
m_free(instruction);
|
||||
|
||||
for (i = 0; i < num_prompts; i++) {
|
||||
cli_ses.is_trivial_auth = 0;
|
||||
unsigned int response_len = 0;
|
||||
prompt = buf_getstring(ses.payload, NULL);
|
||||
cleantext(prompt);
|
||||
|
||||
@ -155,7 +155,7 @@ void cli_auth_password() {
|
||||
|
||||
encrypt_packet();
|
||||
m_burn(password, strlen(password));
|
||||
|
||||
cli_ses.is_trivial_auth = 0;
|
||||
TRACE(("leave cli_auth_password"))
|
||||
}
|
||||
#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
|
||||
|
||||
@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
|
||||
buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
|
||||
cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
|
||||
buf_free(sigbuf); /* Nothing confidential in the buffer */
|
||||
cli_ses.is_trivial_auth = 0;
|
||||
}
|
||||
|
||||
encrypt_packet();
|
||||
|
||||
@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
cli_opts.exit_on_fwd_failure = 0;
|
||||
#endif
|
||||
cli_opts.disable_trivial_auth = 0;
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
cli_opts.localfwds = list_new();
|
||||
opts.listen_fwd_all = 0;
|
||||
@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
"\tExitOnForwardFailure\n"
|
||||
#endif
|
||||
"\tDisableTrivialAuth\n"
|
||||
#ifndef DISABLE_SYSLOG
|
||||
"\tUseSyslog\n"
|
||||
#endif
|
||||
@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
|
||||
cli_opts.disable_trivial_auth = parse_flag_value(optstr);
|
||||
return;
|
||||
}
|
||||
|
||||
dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
|
||||
}
|
||||
|
||||
@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
|
||||
/* Auth */
|
||||
cli_ses.lastprivkey = NULL;
|
||||
cli_ses.lastauthtype = 0;
|
||||
cli_ses.is_trivial_auth = 1;
|
||||
|
||||
/* For printing "remote host closed" for the user */
|
||||
ses.remoteclosed = cli_remoteclosed;
|
||||
|
||||
10
dropbear.8
10
dropbear.8
@ -35,6 +35,12 @@ Don't fork into background.
|
||||
.B \-E
|
||||
Log to standard error rather than syslog.
|
||||
.TP
|
||||
.B \-e
|
||||
Pass on the server environment to all child processes. This is required, for example,
|
||||
if Dropbear is launched on the fly from a SLURM workload manager. The environment is not
|
||||
passed by default. Note that this could expose secrets in environment variables from
|
||||
the calling process - use with caution.
|
||||
.TP
|
||||
.B \-m
|
||||
Don't display the message of the day on login.
|
||||
.TP
|
||||
@ -134,6 +140,10 @@ Don't allow X11 forwarding for this connection
|
||||
Disable PTY allocation. Note that a user can still obtain most of the
|
||||
same functionality with other means even if no-pty is set.
|
||||
|
||||
.TP
|
||||
.B restrict
|
||||
Applies all the no- restrictions listed above.
|
||||
|
||||
.TP
|
||||
.B command=\fR"\fIforced_command\fR"
|
||||
Disregard the command provided by the user and always run \fIforced_command\fR.
|
||||
|
||||
@ -130,6 +130,8 @@ typedef struct svr_runopts {
|
||||
char *pubkey_plugin_options;
|
||||
#endif
|
||||
|
||||
int pass_on_env;
|
||||
|
||||
} svr_runopts;
|
||||
|
||||
extern svr_runopts svr_opts;
|
||||
@ -159,6 +161,7 @@ typedef struct cli_runopts {
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
int exit_on_fwd_failure;
|
||||
#endif
|
||||
int disable_trivial_auth;
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
m_list * remotefwds;
|
||||
#endif
|
||||
|
||||
7
scp.c
7
scp.c
@ -185,7 +185,7 @@ arg_setup(char *host, char *remuser, char *cmd)
|
||||
}
|
||||
|
||||
int
|
||||
do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
|
||||
do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
|
||||
{
|
||||
int pin[2], pout[2], reserved[2];
|
||||
|
||||
@ -532,8 +532,7 @@ toremote(char *targ, int argc, char **argv)
|
||||
bp = xmalloc(len);
|
||||
(void) snprintf(bp, len, "%s -t %s", cmd, targ);
|
||||
host = cleanhostname(thost);
|
||||
if (do_cmd(host, tuser, bp, &remin,
|
||||
&remout, argc) < 0)
|
||||
if (do_cmd(host, tuser, bp, &remin, &remout) < 0)
|
||||
exit(1);
|
||||
if (response() < 0)
|
||||
exit(1);
|
||||
@ -584,7 +583,7 @@ tolocal(int argc, char **argv)
|
||||
len = strlen(src) + CMDNEEDS + 20;
|
||||
bp = xmalloc(len);
|
||||
(void) snprintf(bp, len, "%s -f %s", cmd, src);
|
||||
if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) {
|
||||
if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
|
||||
(void) xfree(bp);
|
||||
++errs;
|
||||
continue;
|
||||
|
||||
@ -316,6 +316,7 @@ struct clientsession {
|
||||
|
||||
int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
|
||||
for the last type of auth we tried */
|
||||
int is_trivial_auth;
|
||||
int ignore_next_auth_response;
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
int auth_interact_failed; /* flag whether interactive auth can still
|
||||
|
||||
@ -568,7 +568,7 @@ static char * sign_key_sha1_fingerprint(const unsigned char* keyblob,
|
||||
buflen = 7 + 3*SHA1_HASH_SIZE;
|
||||
ret = (char*)m_malloc(buflen);
|
||||
|
||||
strcpy(ret, "sha1!! ");
|
||||
strcpy(ret, "sha1 ");
|
||||
|
||||
for (i = 0; i < SHA1_HASH_SIZE; i++) {
|
||||
unsigned int pos = 7 + 3*i;
|
||||
|
||||
@ -166,6 +166,18 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
|
||||
ses.authstate.pubkey_options->no_pty_flag = 1;
|
||||
goto next_option;
|
||||
}
|
||||
if (match_option(options_buf, "restrict") == DROPBEAR_SUCCESS) {
|
||||
dropbear_log(LOG_WARNING, "Restrict option set");
|
||||
ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
|
||||
#endif
|
||||
#if DROPBEAR_X11FWD
|
||||
ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
|
||||
#endif
|
||||
ses.authstate.pubkey_options->no_pty_flag = 1;
|
||||
goto next_option;
|
||||
}
|
||||
if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
|
||||
int escaped = 0;
|
||||
const unsigned char* command_start = buf_getptr(options_buf, 0);
|
||||
|
||||
@ -933,6 +933,11 @@ static void addchildpid(struct ChanSess *chansess, pid_t pid) {
|
||||
static void execchild(const void *user_data) {
|
||||
const struct ChanSess *chansess = user_data;
|
||||
char *usershell = NULL;
|
||||
char *cp = NULL;
|
||||
char *envcp = getenv("LANG");
|
||||
if (envcp != NULL) {
|
||||
cp = m_strdup(envcp);
|
||||
}
|
||||
|
||||
/* with uClinux we'll have vfork()ed, so don't want to overwrite the
|
||||
* hostkey. can't think of a workaround to clear it */
|
||||
@ -945,19 +950,21 @@ static void execchild(const void *user_data) {
|
||||
seedrandom();
|
||||
#endif
|
||||
|
||||
/* clear environment */
|
||||
/* clear environment if -e was not set */
|
||||
/* if we're debugging using valgrind etc, we need to keep the LD_PRELOAD
|
||||
* etc. This is hazardous, so should only be used for debugging. */
|
||||
if ( !svr_opts.pass_on_env) {
|
||||
#ifndef DEBUG_VALGRIND
|
||||
#ifdef HAVE_CLEARENV
|
||||
clearenv();
|
||||
clearenv();
|
||||
#else /* don't HAVE_CLEARENV */
|
||||
/* Yay for posix. */
|
||||
if (environ) {
|
||||
environ[0] = NULL;
|
||||
}
|
||||
/* Yay for posix. */
|
||||
if (environ) {
|
||||
environ[0] = NULL;
|
||||
}
|
||||
#endif /* HAVE_CLEARENV */
|
||||
#endif /* DEBUG_VALGRIND */
|
||||
}
|
||||
|
||||
#if DROPBEAR_SVR_MULTIUSER
|
||||
/* We can only change uid/gid as root ... */
|
||||
@ -991,6 +998,10 @@ static void execchild(const void *user_data) {
|
||||
addnewvar("HOME", ses.authstate.pw_dir);
|
||||
addnewvar("SHELL", get_user_shell());
|
||||
addnewvar("PATH", DEFAULT_PATH);
|
||||
if (cp != NULL) {
|
||||
addnewvar("LANG", cp);
|
||||
m_free(cp);
|
||||
}
|
||||
if (chansess->term != NULL) {
|
||||
addnewvar("TERM", chansess->term);
|
||||
}
|
||||
|
||||
@ -64,6 +64,7 @@ static void printhelp(const char * progname) {
|
||||
"-R Create hostkeys as required\n"
|
||||
#endif
|
||||
"-F Don't fork into background\n"
|
||||
"-e Pass on server process environment to child process\n"
|
||||
#ifdef DISABLE_SYSLOG
|
||||
"(Syslog support not compiled in, using stderr)\n"
|
||||
#else
|
||||
@ -173,6 +174,7 @@ void svr_getopts(int argc, char ** argv) {
|
||||
svr_opts.pubkey_plugin = NULL;
|
||||
svr_opts.pubkey_plugin_options = NULL;
|
||||
#endif
|
||||
svr_opts.pass_on_env = 0;
|
||||
|
||||
#ifndef DISABLE_ZLIB
|
||||
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
|
||||
@ -223,6 +225,10 @@ void svr_getopts(int argc, char ** argv) {
|
||||
opts.usingsyslog = 0;
|
||||
break;
|
||||
#endif
|
||||
case 'e':
|
||||
svr_opts.pass_on_env = 1;
|
||||
break;
|
||||
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
case 'j':
|
||||
svr_opts.nolocaltcp = 1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user