Disable telnet in favor of passwordless SSH

This enables passworldless login for root via SSH whenever no root password is set (e.g. after reset, flashing without keeping config or in failsafe) and removes telnet support alltogether. Signed-off-by: Steven Barth <steven@midlink.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46809 3c298f89-4303-0410-b956-a3cf2f4a3e73
author: Steven Barth <steven@midlink.org> 2015-09-07 19:29:25 +0000
committer: Steven Barth <steven@midlink.org> 2015-09-07 19:29:25 +0000
commit: a35a7afc9f15b4c084c996ab0dbcd833b45f30d5 (patch)
tree: ecf2f61a21f0106e7e00775ef8aab37861f0faf7
parent: 1c61a0bf2363d6300e4fedae2506e93147135a0b (diff)
download: master-187ad058-a35a7afc9f15b4c084c996ab0dbcd833b45f30d5.tar.gz
master-187ad058-a35a7afc9f15b4c084c996ab0dbcd833b45f30d5.tar.bz2
master-187ad058-a35a7afc9f15b4c084c996ab0dbcd833b45f30d5.zip
9 files changed, 49 insertions, 48 deletions
diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh
index 25627b66b2..754d290857 100755
--- a/package/base-files/files/bin/login.sh
+++ b/package/base-files/files/bin/login.sh
@@ -10,8 +10,7 @@ then
 else
 cat << EOF
  === IMPORTANT ============================
-  Use 'passwd' to set your login password
-  this will disable telnet and enable SSH
+  Use 'passwd' to set your login password!
  ------------------------------------------
 EOF
 fi
diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login
index 15dcbd884f..b12e31702a 100644
--- a/package/base-files/files/lib/preinit/99_10_failsafe_login
+++ b/package/base-files/files/lib/preinit/99_10_failsafe_login
@@ -1,9 +1,10 @@
 #!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 # Copyright (C) 2010 Vertical Communications
 
 failsafe_netlogin () {
-	telnetd -l /bin/login.sh <> /dev/null 2>&1
+	dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
 }
 
 failsafe_shell() {
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8988e0db12..f140f36dcc 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index f3931b0ccc..805a0964ab 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,6 +18,17 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
 @@ -131,9 +131,9 @@ If you test it please contact the Dropbe
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644
index 0000000000..7c67b086bb
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& svr_opts.allowblankpass
++				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ 				&& !svr_opts.noauthpass
+ 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+ 				&& ses.authstate.pw_passwd[0] == '\0') 
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644
index 0000000000..ee6d273344
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+ 		m_free(hostkey_file);
+ 	}
+ 
++	if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+ 	loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+ 	loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++	}
+ 
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+ 	if (svr_opts.delay_hostkey) {
diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in
index 7b4cd99a5d..d961bfaaee 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
 	default n
 config BUSYBOX_DEFAULT_TELNET
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
 	bool
 	default n
 config BUSYBOX_DEFAULT_TELNETD
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
 	bool
 	default n
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 9571d48bec..a65f44f8fe 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -110,7 +110,6 @@ define Package/busybox/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(CP) $(PKG_INSTALL_DIR)/* $(1)/
 	$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
-	$(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
 	$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
 	$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
 	-rm -rf $(1)/lib64
diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755
index a1d1cdf9b1..0000000000
--- a/package/utils/busybox/files/telnet
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
-	local pwd=$([ -f "$1" ] && cat "$1")
-	      pwd="${pwd#*root:}"
-	      pwd="${pwd%%:*}"
-
-	test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
-	local homedir=$([ -f "$1" ] && cat "$1")
-	homedir="${homedir#*:*:0:0:*:}"
-
-	echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
-	( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
-	( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
-	if ( ! has_ssh_pubkey && \
-	     ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
-	   ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
-	then
-		procd_open_instance
-		procd_set_param command "$PROG" -F -l /bin/login.sh
-		procd_close_instance
-	fi
-}
author	Steven Barth <steven@midlink.org>	2015-09-07 19:29:25 +0000
committer	Steven Barth <steven@midlink.org>	2015-09-07 19:29:25 +0000
commit	a35a7afc9f15b4c084c996ab0dbcd833b45f30d5 (patch)
tree	ecf2f61a21f0106e7e00775ef8aab37861f0faf7
parent	1c61a0bf2363d6300e4fedae2506e93147135a0b (diff)
download	master-187ad058-a35a7afc9f15b4c084c996ab0dbcd833b45f30d5.tar.gz master-187ad058-a35a7afc9f15b4c084c996ab0dbcd833b45f30d5.tar.bz2 master-187ad058-a35a7afc9f15b4c084c996ab0dbcd833b45f30d5.zip