ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-02-07 13:21:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,586 Commits 5 Branches 63 Tags 14 MiB
cc1b07dcf1
Commit Graph

98 Commits

Author SHA1 Message Date
Vladislav Grishenko
2301b6ac0b
Disallow leading lines before the ident for server (#102) 
Per RFC4253 4.2 clients must be able to process other lines of data
before the version string, server behavior is not defined neither
with MUST/SHOULD nor with MAY.
If server process up to 50 lines too - it may cause too long hanging
session with invalid/evil client that consume host resources and
potentially may lead to DDoS on poor embedded boxes.
Let's require first line from client to be version string and fail
early if it's not - matches both RFC and real OpenSSH behavior.
 2020-06-15 21:22:18 +08:00
Matt Johnston
fa116e983b Rename EPKA -> Plugin 2019-05-15 21:59:45 +08:00
fabriziobertocci
8c6aaf8d36 External Public-Key Authentication API (#72) 
* Implemented dynamic loading of an external plug-in shared library to delegate public key authentication

* Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled

* Added tags file to the ignore list

* Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them

* Added -rdynamic to the linker flags when EPKA is enabled

* Changed the API to pass a previously created session to the checkPubKey function (created during preauth)

* Added documentation to the API

* Added parameter addrstring to plugin creation function

* Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session)

* Changed option string to be a simple char * instead of unsigned char *
 2019-05-15 21:43:57 +08:00
Matt Johnston
0afcfafbb9 Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode 2019-03-20 22:57:06 +08:00
Matt Johnston
a60725740b workaround memory sanitizer FD_ZERO false positives 2018-03-06 21:51:51 +08:00
Matt Johnston
7f15910541 get rid of unused packet_type in encrypted write queue 2018-03-04 14:57:18 +08:00
Matt Johnston
c658b275fd - #if not #ifdef for DROPBEAR_FUZZ 
- fix some unused variables

--HG--
branch : fuzz
 2018-02-28 21:40:08 +08:00
Matt Johnston
5df73215f8 merge from main 
--HG--
branch : fuzz
 2018-02-26 22:44:48 +08:00
François Perrad
7efe873d73 use a full prototype (#56) 2018-02-20 23:13:42 +08:00
Matt Johnston
7e8094d53a merge from main 
--HG--
branch : fuzz
 2018-02-17 19:29:51 +08:00
Matt Johnston
a1aa161527 make signal flags volatile, simplify handling 2018-02-14 23:06:01 +08:00
Matt Johnston
c169423051 glaring wrapfd problems fixed 
--HG--
branch : fuzz
 2017-05-20 22:47:19 +08:00
Matt Johnston
fdc6f32392 closer to working 
--HG--
branch : fuzz
 2017-05-20 13:23:16 +08:00
Matt Johnston
c6e912f9e2 merge 2016.74 2016-07-21 23:38:42 +08:00
Matt Johnston
32a28d0d9c Convert #ifdef to #if, other build changes 2016-05-04 15:33:40 +02:00
Matt Johnston
171456c683 Avoid busy loop while waiting for rekey response 2016-04-29 23:04:10 +08:00
Matt Johnston
64e6e3aca9 better TRACE of failed remote ident 2016-07-11 21:51:25 +08:00
Matt Johnston
8174300429 Avoid busy loop while waiting for rekey response 2016-04-29 23:04:10 +08:00
Francois Perrad
3e20c442de fix empty C prototypes 2016-03-16 22:41:20 +08:00
Matt Johnston
ee353847be Fix ses.channel_signal_pending race 2015-11-27 21:26:43 +08:00
Matt Johnston
8ccbd216c6 make sure that the test for queued packets to write occurs after 
those packets might have been enqueued by set_connect_fds()
 2015-09-29 21:53:27 +08:00
Matt Johnston
24bae46e42 only update keepalive timeout post-auth (when keepalives are sent) 2015-08-07 21:02:49 +08:00
Matt Johnston
2e60d20a76 set timeouts to time remaining rather than timeout duration 2015-08-03 23:05:43 +08:00
Matt Johnston
ce59260ee9 Fix problem where auth timeout wasn't checked when waiting for ident 2015-08-03 21:59:40 +08:00
Matt Johnston
1a4db21fe4 buf_getstring and buf_putstring now use non-unsigned char* 2015-06-04 23:08:50 +08:00
Matt Johnston
e7ac4c1ab3 Merge pull request #13 from gazoo74/fix-warnings 
Fix warnings
 2015-06-04 22:25:28 +08:00
Gaël PORTAY
224b16b247 Fix pointer differ in signess warnings [-Werror=pointer-sign] 2015-05-05 20:39:13 +02:00
Matt Johnston
0e1dee828a Make sure kexfirstinitialise is called early enough 2015-05-03 00:00:35 +08:00
Matt Johnston
19e1afbd1c Fix no-writev fallback 2015-05-02 22:47:25 +08:00
Matt Johnston
275611fbaa Make main socket nonblocking. Limit writequeue size. 2015-03-20 23:36:42 +08:00
Matt Johnston
9e66b5a9b1 reword comment for clarity 
--HG--
branch : nocircbuffer
 2015-03-01 23:26:42 +08:00
Matt Johnston
89c0b2a6d8 Add cleanup 
--HG--
branch : fastopen
 2015-02-28 23:15:23 +08:00
Matt Johnston
31e379c300 merge from default 
--HG--
branch : fastopen
 2015-02-28 09:06:40 +08:00
Matt Johnston
8008b595d3 Some additional cleanup functions 2015-02-24 22:17:04 +08:00
Matt Johnston
21bed0d21a Free memory before exiting. Based on patch from Thorsten Horstmann. 
Client side is not complete.
 2015-02-24 22:01:33 +08:00
Thorsten Horstmann
ab9439519a Fix for old compilers, variable declarations at beginning of functions 
and /**/ comments
 2015-02-24 20:51:18 +08:00
Matt Johnston
364a53577e Move generic network routines to netio.c 
--HG--
branch : fastopen
 2015-02-20 23:16:38 +08:00
Matt Johnston
1b1997bf2d Update priority once the socket is open 
--HG--
branch : fastopen
 2015-02-20 22:13:53 +08:00
Matt Johnston
755c1458f0 async connections working 
--HG--
branch : fastopen
 2015-02-18 22:46:15 +08:00
Matt Johnston
2c35f1c8fd Add envirnonment variable for debug timestamps to roughly match 
network timestamps (in tshark)
 2015-02-13 23:47:53 +08:00
Matt Johnston
136188259e Fix print that no longer works since we're not using fourCCs 2015-02-13 23:17:23 +08:00
Matt Johnston
6d2d3669f3 Make keepalive handling more robust, this should now match what OpenSSH does 2014-08-19 23:08:56 +08:00
Matt Johnston
10eb218fb0 Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses 2014-08-13 21:48:47 +08:00
Matt Johnston
da57dd13c5 Set tcp priority as follows: 
if (connecting || ptys || x11) tos = LOWDELAY;
else if (tcp_forwards) tos = 0;
else tos = BULK;

TCP forwards could be either lowdelay or bulk, hence the default priority.
 2014-07-16 22:53:32 +08:00
Matt Johnston
f1826ea389 Fix auth timeout regression 2014-07-09 22:02:22 +08:00
Matt Johnston
c884e5000e Make -K keepalive behave like OpenSSH's ServerAliveInterval 2014-07-09 00:15:20 +08:00
Matt Johnston
db688e3ec1 Experiment of always writing data if available. Might waste a writev() with 
EAGAIN but always saves a select() - needs testing with bandwidth-limited
and CPU-limited situations.
 2014-03-15 11:37:02 +08:00
Matt Johnston
e767bbb41f Add new monotonic_now() wrapper so that timeouts are unaffected by 
system clock changes
 2014-03-13 23:50:09 +08:00
Matt Johnston
2b599df57a Fix typo 2014-03-13 23:08:47 +08:00
Yousong Zhou
5baa10a6b6 Use AUTH_TIMEOUT only before authdone != 1. 
While at it, fix a few indentations and typo.
 2014-03-13 16:28:16 +08:00