mirror of
https://github.com/clearml/dropbear
synced 2025-06-26 18:17:32 +00:00
Allow user space file locations (rootless support)
Why:
Running dropbear as a user (rootless) is aided if
files and programs can be saved/removed without
needing sudo.
What:
Use the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY;
if not starting with '/', then is relative to hedge's /home/hedge:
*_PRIV_FILENAME
DROPBEAR_PIDFILE
SFTPSERVER_PATH
default_options.h commentary added.
Changes kept to a minimum, so log entry in svr_kex.c#163
is refactored.
From:
Generated hostkey is <path> ... <finger-print>
to:
Generated hostkey path is <path>
Generated hostkey fingerprint is <fp>
Otherwise the unexpanded path was reported.
Patch modified by Matt Johnston
Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
This commit is contained in:
Begley Brothers Inc
Matt Johnston
parent
2f68f6693f
commit
f4be5a3c8b
7
CHANGES
7
CHANGES
@ -1,3 +1,10 @@
|
||||
- The following config paths are now relative to a home directory if
|
||||
starting with "~". Thanks to Begley Brothers Inc
|
||||
*_PRIV_FILENAME
|
||||
DROPBEAR_PIDFILE
|
||||
SFTPSERVER_PATH
|
||||
MOTD_FILENAME
|
||||
|
||||
2020.81 - 29 October 2020
|
||||
|
||||
- Fix regression in 2020.79 which prevented connecting with some SSH
|
||||
|
||||
@ -18,7 +18,9 @@ IMPORTANT: Some options will require "make clean" after changes */
|
||||
/* Listen on all interfaces */
|
||||
#define DROPBEAR_DEFADDRESS ""
|
||||
|
||||
/* Default hostkey paths - these can be specified on the command line */
|
||||
/* Default hostkey paths - these can be specified on the command line.
|
||||
* Homedir is prepended if path begins with ~
|
||||
*/
|
||||
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
|
||||
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
|
||||
#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
|
||||
@ -231,9 +233,10 @@ group1 in Dropbear server too */
|
||||
#define DROPBEAR_CLI_PASSWORD_AUTH 1
|
||||
#define DROPBEAR_CLI_PUBKEY_AUTH 1
|
||||
|
||||
/* A default argument for dbclient -i <privatekey>.
|
||||
Homedir is prepended unless path begins with / */
|
||||
#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
|
||||
/* A default argument for dbclient -i <privatekey>.
|
||||
* Homedir is prepended if path begins with ~
|
||||
*/
|
||||
#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear"
|
||||
|
||||
/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
|
||||
* environment variable. */
|
||||
@ -275,7 +278,9 @@ Homedir is prepended unless path begins with / */
|
||||
#define UNAUTH_CLOSE_DELAY 0
|
||||
|
||||
/* The default file to store the daemon's process ID, for shutdown
|
||||
scripts etc. This can be overridden with the -P flag */
|
||||
* scripts etc. This can be overridden with the -P flag.
|
||||
* Homedir is prepended if path begins with ~
|
||||
*/
|
||||
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
|
||||
|
||||
/* The command to invoke for xauth when using X11 forwarding.
|
||||
@ -283,9 +288,11 @@ Homedir is prepended unless path begins with / */
|
||||
#define XAUTH_COMMAND "/usr/bin/xauth -q"
|
||||
|
||||
|
||||
/* if you want to enable running an sftp server (such as the one included with
|
||||
/* If you want to enable running an sftp server (such as the one included with
|
||||
* OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
|
||||
* The sftp-server program is not provided by Dropbear itself */
|
||||
* The sftp-server program is not provided by Dropbear itself.
|
||||
* Homedir is prepended if path begins with ~
|
||||
*/
|
||||
#define DROPBEAR_SFTPSERVER 1
|
||||
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
|
||||
|
||||
|
||||
@ -685,8 +685,10 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
|
||||
if (issubsys) {
|
||||
#if DROPBEAR_SFTPSERVER
|
||||
if ((cmdlen == 4) && strncmp(chansess->cmd, "sftp", 4) == 0) {
|
||||
char *expand_path = expand_homedir_path(SFTPSERVER_PATH);
|
||||
m_free(chansess->cmd);
|
||||
chansess->cmd = m_strdup(SFTPSERVER_PATH);
|
||||
chansess->cmd = m_strdup(expand_path);
|
||||
m_free(expand_path);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
||||
21
svr-kex.c
21
svr-kex.c
@ -106,6 +106,7 @@ void recv_msg_kexdh_init() {
|
||||
static void svr_ensure_hostkey() {
|
||||
|
||||
const char* fn = NULL;
|
||||
char *expand_fn = NULL;
|
||||
enum signkey_type type = ses.newkeys->algo_hostkey;
|
||||
void **hostkey = signkey_key_ptr(svr_opts.hostkey, type);
|
||||
int ret = DROPBEAR_FAILURE;
|
||||
@ -142,15 +143,19 @@ static void svr_ensure_hostkey() {
|
||||
dropbear_assert(0);
|
||||
}
|
||||
|
||||
if (readhostkey(fn, svr_opts.hostkey, &type) == DROPBEAR_SUCCESS) {
|
||||
return;
|
||||
expand_fn = expand_homedir_path(fn);
|
||||
|
||||
ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
|
||||
if (ret == DROPBEAR_SUCCESS) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (signkey_generate(type, 0, fn, 1) == DROPBEAR_FAILURE) {
|
||||
if (signkey_generate(type, 0, expand_fn, 1) == DROPBEAR_FAILURE) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = readhostkey(fn, svr_opts.hostkey, &type);
|
||||
/* Read what we just generated (or another process raced us) */
|
||||
ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
|
||||
|
||||
if (ret == DROPBEAR_SUCCESS) {
|
||||
char *fp = NULL;
|
||||
@ -161,16 +166,16 @@ static void svr_ensure_hostkey() {
|
||||
len = key_buf->len - key_buf->pos;
|
||||
fp = sign_key_fingerprint(buf_getptr(key_buf, len), len);
|
||||
dropbear_log(LOG_INFO, "Generated hostkey %s, fingerprint is %s",
|
||||
fn, fp);
|
||||
expand_fn, fp);
|
||||
m_free(fp);
|
||||
buf_free(key_buf);
|
||||
}
|
||||
|
||||
out:
|
||||
if (ret == DROPBEAR_FAILURE)
|
||||
{
|
||||
dropbear_exit("Couldn't read or generate hostkey %s", fn);
|
||||
if (ret == DROPBEAR_FAILURE) {
|
||||
dropbear_exit("Couldn't read or generate hostkey %s", expand_fn);
|
||||
}
|
||||
m_free(expand_fn);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
@ -163,7 +163,7 @@ void svr_getopts(int argc, char ** argv) {
|
||||
svr_opts.portcount = 0;
|
||||
svr_opts.hostkey = NULL;
|
||||
svr_opts.delay_hostkey = 0;
|
||||
svr_opts.pidfile = DROPBEAR_PIDFILE;
|
||||
svr_opts.pidfile = expand_homedir_path(DROPBEAR_PIDFILE);
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
svr_opts.nolocaltcp = 0;
|
||||
#endif
|
||||
@ -530,12 +530,14 @@ static void loadhostkey_helper(const char *name, void** src, void** dst, int fat
|
||||
/* Must be called after syslog/etc is working */
|
||||
static void loadhostkey(const char *keyfile, int fatal_duplicate) {
|
||||
sign_key * read_key = new_sign_key();
|
||||
char *expand_path = expand_homedir_path(keyfile);
|
||||
enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
|
||||
if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) {
|
||||
if (readhostkey(expand_path, read_key, &type) == DROPBEAR_FAILURE) {
|
||||
if (!svr_opts.delay_hostkey) {
|
||||
dropbear_log(LOG_WARNING, "Failed loading %s", keyfile);
|
||||
dropbear_log(LOG_WARNING, "Failed loading %s", expand_path);
|
||||
}
|
||||
}
|
||||
m_free(expand_path);
|
||||
|
||||
#if DROPBEAR_RSA
|
||||
if (type == DROPBEAR_SIGNKEY_RSA) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user