ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-01-31 02:46:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,876 Commits 5 Branches 63 Tags 14 MiB
923a65ea0d
Commit Graph

61 Commits

Author SHA1 Message Date
Matt Johnston
71d78653c7 Merge pull request #160 from Jackkal/two-factor-authentication 
Two-factor authentication support (pubkey and password)
 2022-11-09 17:33:48 +08:00
Matt Johnston
561ef41230 Merge egor-duda:sk-authkey-options 
Github pull request #172
 2022-11-09 16:14:59 +08:00
Jackkal
427e49003a make comments consistent and fix typo 2022-06-21 22:48:56 +02:00
k-kurematsu
e03abf0d1a
Fix misleading error message 
As per the message, even if I deleted the write permission(chmod -007), but an error occurred.
It's a source of confusion, so fix the message.
 2022-06-21 17:58:12 +09:00
Egor Duda
62ea53c1e5
Implement no-touch-required and verify-requred for authorized_keys file 2022-06-11 19:17:40 +03:00
Jackkal
0c9318a0b2 Two-factor authentication support (pubkey and password) 2022-04-29 15:43:15 +02:00
Matt Johnston
2f68f6693f Check authorized_keys permissions as the user 
This is necessary on NFS with squash root.
Based on work from Chris Dragan
This commit also tidies some trailing whitespace.

Fixes github pull #107
 2022-03-30 12:56:09 +08:00
Matt Johnston
6ad6210901 Print the key type in "Pubkey auth succeeded" 2022-03-30 11:51:56 +08:00
Matt Johnston
98ef42a856 Don't set pubkey_info directly in checkpubkey_line 
This makes it safe to use from fuzzer-pubkey without leaking
the value since the cleanup isn't called
 2022-03-16 18:35:23 +08:00
Matt Johnston
10875e8524 Fix SSH_PUBKEYINFO, limit characters, add tests 
We fix a bad_bufptr() failure from a previous commit. We now limit
the allowed characters to those that will definitely be safe
in a shell. Some scripts/programs may use arbitrary environment
variables without escaping correctly - that could be a problem
in a restricted environment.

The current allowed set is a-z A-Z 0-9 .,_-+@

This also adds a test for SSH_PUBKEYINFO, by default it only runs
under github actions (or "act -j build").
 2022-03-16 17:23:58 +08:00
HansH111
212583544a use buf_getptr and m_free on every iteration before m_malloc to insure no memory leaks are happening 2022-03-15 18:57:21 +00:00
HansH111
80e7143fd2 extract pubkey_info when seuccesfully auth with a key and free it in the cleanup function 2022-03-13 17:38:13 +00:00
Matt Johnston
037d26f055 Add buf_decrpos() 2020-10-24 18:56:45 +08:00
Matt Johnston
972d723484 split signkey_type and signature_type for RSA sha1 vs sha256 2020-05-17 23:58:31 +08:00
Matt Johnston
7dc2f36c3e use sigtype where appropriate 2020-04-06 23:18:26 +08:00
Matt Johnston
fa116e983b Rename EPKA -> Plugin 2019-05-15 21:59:45 +08:00
fabriziobertocci
8c6aaf8d36 External Public-Key Authentication API (#72) 
* Implemented dynamic loading of an external plug-in shared library to delegate public key authentication

* Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled

* Added tags file to the ignore list

* Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them

* Added -rdynamic to the linker flags when EPKA is enabled

* Changed the API to pass a previously created session to the checkPubKey function (created during preauth)

* Added documentation to the API

* Added parameter addrstring to plugin creation function

* Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session)

* Changed option string to be a simple char * instead of unsigned char *
 2019-05-15 21:43:57 +08:00
Patrick Stewart
0af22aa8e4 Support servers without multiple user support (#76) 2019-03-20 22:44:49 +08:00
François Perrad
28b6111db0 use strlcpy & strlcat (#74) 
* refactor checkpubkeyperms() with safe BSD functions

fix gcc8 warnings
```
svr-authpubkey.c: In function 'checkpubkeyperms':
svr-authpubkey.c:427:2: warning: 'strncat' specified bound 5 equals source length [-Wstringop-overflow=]
  strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
svr-authpubkey.c:433:2: warning: 'strncat' specified bound 16 equals source length [-Wstringop-overflow=]
  strncat(filename, "/authorized_keys", 16);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

see https://www.sudo.ws/todd/papers/strlcpy.html

* restore strlcpy in xstrdup

see original https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/xmalloc.c?rev=1.16
 2019-03-20 22:09:19 +08:00
Matt Johnston
ad3eacf3d6 Merge bugfix delay invalid users 2018-08-23 23:43:45 +08:00
Matt Johnston
52adbb34c3 Wait to fail invalid usernames 2018-08-23 23:43:12 +08:00
Matt Johnston
27828c742c don't allow null characters in authorized_keys 2018-03-07 22:16:21 +08:00
Matt Johnston
e9edbe8bb2 avoid leak of pubkey_options 2018-03-06 22:18:20 +08:00
Matt Johnston
c658b275fd - #if not #ifdef for DROPBEAR_FUZZ 
- fix some unused variables

--HG--
branch : fuzz
 2018-02-28 21:40:08 +08:00
Matt Johnston
7e8094d53a merge from main 
--HG--
branch : fuzz
 2018-02-17 19:29:51 +08:00
Matt Johnston
e0748b1970 Remove accidentally committed DROPBEAR_FUZZ 2018-02-16 23:17:15 +08:00
Matt Johnston
e64e25e4d6 Merge pull request #49 from fperrad/20170812_lint 
Some linting, const parameters
 2018-01-25 21:55:25 +08:00
Matt Johnston
dd8988220e fix checkpubkey_line function name for TRACE 2017-10-04 22:30:18 +08:00
Matt Johnston
cc803ee802 fix pubkey authentication return value 2017-10-04 22:29:42 +08:00
Francois Perrad
89e64c631e Pointer parameter could be declared as pointing to const 2017-08-19 17:16:13 +02:00
Matt Johnston
72f85ad90f limit input size 2017-05-25 22:21:23 +08:00
Matt Johnston
fb4e07f7a8 don't exit encountering short lines 2017-05-25 00:10:18 +08:00
Matt Johnston
6e0b539e9c split out checkpubkey_line() separately 2017-05-23 22:29:21 +08:00
Matt Johnston
45b27b0194 merge 2017.75 2017-05-18 22:59:38 +08:00
Matt Johnston
93f3c31807 switch user when opening authorized_keys 2017-05-10 00:20:21 +08:00
Matt Johnston
32a28d0d9c Convert #ifdef to #if, other build changes 2016-05-04 15:33:40 +02:00
Francois Perrad
3e20c442de fix empty C prototypes 2016-03-16 22:41:20 +08:00
Matt Johnston
1a4db21fe4 buf_getstring and buf_putstring now use non-unsigned char* 2015-06-04 23:08:50 +08:00
Gaël PORTAY
5cf43d76bf Turn checkpubkey() and send_msg_userauth_pk_ok()'s algo argument into char * 2015-05-05 20:39:14 +02:00
Gaël PORTAY
224b16b247 Fix pointer differ in signess warnings [-Werror=pointer-sign] 2015-05-05 20:39:13 +02:00
Matt Johnston
f782cf375a Fix pubkey auth after change to reuse ses.readbuf as ses.payload 
(4d7b4c5526c5)

--HG--
branch : nocircbuffer
 2015-03-01 23:02:06 +08:00
Matt Johnston
b77864931b Don't exit fatally if authorized_keys has a line like 
command="something" ssh-rsa

--HG--
branch : ecc
 2013-11-12 23:58:51 +08:00
Matt Johnston
e60a84d0ed Various cleanups and fixes for warnings 
--HG--
branch : ecc
 2013-11-12 23:02:32 +08:00
Matt Johnston
c797c1750c - Fix various hardcoded uses of SHA1 
- rename curves to nistp256 etc
- fix svr-auth.c TRACE problem

--HG--
branch : ecc
 2013-04-08 00:10:57 +08:00
Matt Johnston
c6bdc810ab ecc kind of works, needs fixing/testing 
--HG--
branch : ecc
 2013-04-07 01:36:42 +08:00
Matt Johnston
38ed870ffe Improve capitalisation for all logged strings 
--HG--
extra : convert_revision : 997e53cec7a9efb7413ac6e17b6be60a5597bd2e
 2011-02-23 15:50:30 +00:00
Matt Johnston
31fa5e605b - Rework pubkey options to be more careful about buffer lengths. Needs review. 
--HG--
branch : pubkey-options
extra : convert_revision : 537a6ebebb46424b967ffe787f0f8560e5f447e8
 2008-09-12 17:23:56 +00:00
Matt Johnston
c0ce2a6a97 * Patch from Frédéric Moulins adding options to authorized_keys. 
Needs review.

--HG--
branch : pubkey-options
extra : convert_revision : 26872f944d79ddacff1070aab32115a6d726392c
 2008-09-08 15:14:02 +00:00
Matt Johnston
bb0548b3b0 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep 
--HG--
extra : convert_revision : 295b11312e327fe6c4f33512674ea4a1a9790344
 2008-01-13 03:55:59 +00:00
Matt Johnston
c077f22fb4 Improve known_hosts checking. 
--HG--
extra : convert_revision : b7933fa29cbedeb53b79a0b60aaa0f049e003cb2
 2007-02-22 15:29:32 +00:00