ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-06-26 18:17:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge

Browse Source
This commit is contained in:
Matt Johnston 2021-10-11 15:46:49 +08:00
commit f3b72bfd18
14 changed files with 67 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cli-auth.c
View File

@ -261,6 +261,9 @@ void recv_msg_userauth_success() {
if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
TRACE(("received msg_userauth_success")) TRACE(("received msg_userauth_success"))
if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
dropbear_exit("trivial authentication not allowed");
}
/* Note: in delayed-zlib mode, setting authdone here /* Note: in delayed-zlib mode, setting authdone here
* will enable compression in the transport layer */ * will enable compression in the transport layer */
ses.authstate.authdone = 1; ses.authstate.authdone = 1;

1
cli-authinteract.c
View File

@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
m_free(instruction); m_free(instruction);
for (i = 0; i < num_prompts; i++) { for (i = 0; i < num_prompts; i++) {
cli_ses.is_trivial_auth = 0;
unsigned int response_len = 0; unsigned int response_len = 0;
prompt = buf_getstring(ses.payload, NULL); prompt = buf_getstring(ses.payload, NULL);
cleantext(prompt); cleantext(prompt);

2
cli-authpasswd.c
View File

@ -155,7 +155,7 @@ void cli_auth_password() {
encrypt_packet(); encrypt_packet();
m_burn(password, strlen(password)); m_burn(password, strlen(password));
cli_ses.is_trivial_auth = 0;
TRACE(("leave cli_auth_password")) TRACE(("leave cli_auth_password"))
} }
#endif /* DROPBEAR_CLI_PASSWORD_AUTH */ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */

1
cli-authpubkey.c
View File

@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
buf_free(sigbuf); /* Nothing confidential in the buffer */ buf_free(sigbuf); /* Nothing confidential in the buffer */
cli_ses.is_trivial_auth = 0;
} }
encrypt_packet(); encrypt_packet();

7
cli-runopts.c
View File

@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
#if DROPBEAR_CLI_ANYTCPFWD #if DROPBEAR_CLI_ANYTCPFWD
cli_opts.exit_on_fwd_failure = 0; cli_opts.exit_on_fwd_failure = 0;
#endif #endif
cli_opts.disable_trivial_auth = 0;
#if DROPBEAR_CLI_LOCALTCPFWD #if DROPBEAR_CLI_LOCALTCPFWD
cli_opts.localfwds = list_new(); cli_opts.localfwds = list_new();
opts.listen_fwd_all = 0; opts.listen_fwd_all = 0;
@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
#if DROPBEAR_CLI_ANYTCPFWD #if DROPBEAR_CLI_ANYTCPFWD
"\tExitOnForwardFailure\n" "\tExitOnForwardFailure\n"
#endif #endif
"\tDisableTrivialAuth\n"
#ifndef DISABLE_SYSLOG #ifndef DISABLE_SYSLOG
"\tUseSyslog\n" "\tUseSyslog\n"
#endif #endif
@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
return; return;
} }
if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
cli_opts.disable_trivial_auth = parse_flag_value(optstr);
return;
}
dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
} }

1
cli-session.c
View File

@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
/* Auth */ /* Auth */
cli_ses.lastprivkey = NULL; cli_ses.lastprivkey = NULL;
cli_ses.lastauthtype = 0; cli_ses.lastauthtype = 0;
cli_ses.is_trivial_auth = 1;
/* For printing "remote host closed" for the user */ /* For printing "remote host closed" for the user */
ses.remoteclosed = cli_remoteclosed; ses.remoteclosed = cli_remoteclosed;

10
dropbear.8
View File

@ -35,6 +35,12 @@ Don't fork into background.
.B \-E .B \-E
Log to standard error rather than syslog. Log to standard error rather than syslog.
.TP .TP
.B \-e
Pass on the server environment to all child processes. This is required, for example,
if Dropbear is launched on the fly from a SLURM workload manager. The environment is not
passed by default. Note that this could expose secrets in environment variables from
the calling process - use with caution.
.TP
.B \-m .B \-m
Don't display the message of the day on login. Don't display the message of the day on login.
.TP .TP
@ -134,6 +140,10 @@ Don't allow X11 forwarding for this connection
Disable PTY allocation. Note that a user can still obtain most of the Disable PTY allocation. Note that a user can still obtain most of the
same functionality with other means even if no-pty is set. same functionality with other means even if no-pty is set.
.TP
.B restrict
Applies all the no- restrictions listed above.
.TP .TP
.B command=\fR"\fIforced_command\fR" .B command=\fR"\fIforced_command\fR"
Disregard the command provided by the user and always run \fIforced_command\fR. Disregard the command provided by the user and always run \fIforced_command\fR.

3
runopts.h
View File

@ -130,6 +130,8 @@ typedef struct svr_runopts {
char *pubkey_plugin_options; char *pubkey_plugin_options;
#endif #endif
int pass_on_env;
} svr_runopts; } svr_runopts;
extern svr_runopts svr_opts; extern svr_runopts svr_opts;
@ -159,6 +161,7 @@ typedef struct cli_runopts {
#if DROPBEAR_CLI_ANYTCPFWD #if DROPBEAR_CLI_ANYTCPFWD
int exit_on_fwd_failure; int exit_on_fwd_failure;
#endif #endif
int disable_trivial_auth;
#if DROPBEAR_CLI_REMOTETCPFWD #if DROPBEAR_CLI_REMOTETCPFWD
m_list * remotefwds; m_list * remotefwds;
#endif #endif

7
scp.c
View File

@ -185,7 +185,7 @@ arg_setup(char *host, char *remuser, char *cmd)
} }
int int
do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc) do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
{ {
int pin[2], pout[2], reserved[2]; int pin[2], pout[2], reserved[2];
@ -532,8 +532,7 @@ toremote(char *targ, int argc, char **argv)
bp = xmalloc(len); bp = xmalloc(len);
(void) snprintf(bp, len, "%s -t %s", cmd, targ); (void) snprintf(bp, len, "%s -t %s", cmd, targ);
host = cleanhostname(thost); host = cleanhostname(thost);
if (do_cmd(host, tuser, bp, &remin, if (do_cmd(host, tuser, bp, &remin, &remout) < 0)
&remout, argc) < 0)
exit(1); exit(1);
if (response() < 0) if (response() < 0)
exit(1); exit(1);
@ -584,7 +583,7 @@ tolocal(int argc, char **argv)
len = strlen(src) + CMDNEEDS + 20; len = strlen(src) + CMDNEEDS + 20;
bp = xmalloc(len); bp = xmalloc(len);
(void) snprintf(bp, len, "%s -f %s", cmd, src); (void) snprintf(bp, len, "%s -f %s", cmd, src);
if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) { if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
(void) xfree(bp); (void) xfree(bp);
++errs; ++errs;
continue; continue;

1
session.h
View File

@ -316,6 +316,7 @@ struct clientsession {
int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
for the last type of auth we tried */ for the last type of auth we tried */
int is_trivial_auth;
int ignore_next_auth_response; int ignore_next_auth_response;
#if DROPBEAR_CLI_INTERACT_AUTH #if DROPBEAR_CLI_INTERACT_AUTH
int auth_interact_failed; /* flag whether interactive auth can still int auth_interact_failed; /* flag whether interactive auth can still

2
signkey.c
View File

@ -568,7 +568,7 @@ static char * sign_key_sha1_fingerprint(const unsigned char* keyblob,
buflen = 7 + 3*SHA1_HASH_SIZE; buflen = 7 + 3*SHA1_HASH_SIZE;
ret = (char*)m_malloc(buflen); ret = (char*)m_malloc(buflen);
strcpy(ret, "sha1!! "); strcpy(ret, "sha1 ");
for (i = 0; i < SHA1_HASH_SIZE; i++) { for (i = 0; i < SHA1_HASH_SIZE; i++) {
unsigned int pos = 7 + 3*i; unsigned int pos = 7 + 3*i;

12
svr-authpubkeyoptions.c
View File

@ -166,6 +166,18 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
ses.authstate.pubkey_options->no_pty_flag = 1; ses.authstate.pubkey_options->no_pty_flag = 1;
goto next_option; goto next_option;
} }
if (match_option(options_buf, "restrict") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Restrict option set");
ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
#if DROPBEAR_SVR_AGENTFWD
ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
#endif
#if DROPBEAR_X11FWD
ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
#endif
ses.authstate.pubkey_options->no_pty_flag = 1;
goto next_option;
}
if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) { if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
int escaped = 0; int escaped = 0;
const unsigned char* command_start = buf_getptr(options_buf, 0); const unsigned char* command_start = buf_getptr(options_buf, 0);

23
svr-chansession.c
View File

@ -933,6 +933,11 @@ static void addchildpid(struct ChanSess *chansess, pid_t pid) {
static void execchild(const void *user_data) { static void execchild(const void *user_data) {
const struct ChanSess *chansess = user_data; const struct ChanSess *chansess = user_data;
char *usershell = NULL; char *usershell = NULL;
char *cp = NULL;
char *envcp = getenv("LANG");
if (envcp != NULL) {
cp = m_strdup(envcp);
}
/* with uClinux we'll have vfork()ed, so don't want to overwrite the /* with uClinux we'll have vfork()ed, so don't want to overwrite the
* hostkey. can't think of a workaround to clear it */ * hostkey. can't think of a workaround to clear it */
@ -945,19 +950,21 @@ static void execchild(const void *user_data) {
seedrandom(); seedrandom();
#endif #endif
/* clear environment */ /* clear environment if -e was not set */
/* if we're debugging using valgrind etc, we need to keep the LD_PRELOAD /* if we're debugging using valgrind etc, we need to keep the LD_PRELOAD
* etc. This is hazardous, so should only be used for debugging. */ * etc. This is hazardous, so should only be used for debugging. */
if ( !svr_opts.pass_on_env) {
#ifndef DEBUG_VALGRIND #ifndef DEBUG_VALGRIND
#ifdef HAVE_CLEARENV #ifdef HAVE_CLEARENV
clearenv(); clearenv();
#else /* don't HAVE_CLEARENV */ #else /* don't HAVE_CLEARENV */
/* Yay for posix. */ /* Yay for posix. */
if (environ) { if (environ) {
environ[0] = NULL; environ[0] = NULL;
} }
#endif /* HAVE_CLEARENV */ #endif /* HAVE_CLEARENV */
#endif /* DEBUG_VALGRIND */ #endif /* DEBUG_VALGRIND */
}
#if DROPBEAR_SVR_MULTIUSER #if DROPBEAR_SVR_MULTIUSER
/* We can only change uid/gid as root ... */ /* We can only change uid/gid as root ... */
@ -991,6 +998,10 @@ static void execchild(const void *user_data) {
addnewvar("HOME", ses.authstate.pw_dir); addnewvar("HOME", ses.authstate.pw_dir);
addnewvar("SHELL", get_user_shell()); addnewvar("SHELL", get_user_shell());
addnewvar("PATH", DEFAULT_PATH); addnewvar("PATH", DEFAULT_PATH);
if (cp != NULL) {
addnewvar("LANG", cp);
m_free(cp);
}
if (chansess->term != NULL) { if (chansess->term != NULL) {
addnewvar("TERM", chansess->term); addnewvar("TERM", chansess->term);
} }

6
svr-runopts.c
View File

@ -64,6 +64,7 @@ static void printhelp(const char * progname) {
"-R Create hostkeys as required\n" "-R Create hostkeys as required\n"
#endif #endif
"-F Don't fork into background\n" "-F Don't fork into background\n"
"-e Pass on server process environment to child process\n"
#ifdef DISABLE_SYSLOG #ifdef DISABLE_SYSLOG
"(Syslog support not compiled in, using stderr)\n" "(Syslog support not compiled in, using stderr)\n"
#else #else
@ -173,6 +174,7 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.pubkey_plugin = NULL; svr_opts.pubkey_plugin = NULL;
svr_opts.pubkey_plugin_options = NULL; svr_opts.pubkey_plugin_options = NULL;
#endif #endif
svr_opts.pass_on_env = 0;
#ifndef DISABLE_ZLIB #ifndef DISABLE_ZLIB
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
@ -223,6 +225,10 @@ void svr_getopts(int argc, char ** argv) {
opts.usingsyslog = 0; opts.usingsyslog = 0;
break; break;
#endif #endif
case 'e':
svr_opts.pass_on_env = 1;
break;
#if DROPBEAR_SVR_LOCALTCPFWD #if DROPBEAR_SVR_LOCALTCPFWD
case 'j': case 'j':
svr_opts.nolocaltcp = 1; svr_opts.nolocaltcp = 1;