diff options
Diffstat (limited to 'package/network/services/dropbear')
13 files changed, 618 insertions, 0 deletions
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in new file mode 100644 index 0000000..e2a7610 --- /dev/null +++ b/package/network/services/dropbear/Config.in @@ -0,0 +1,27 @@ +menu "Configuration" + depends on PACKAGE_dropbear + +config DROPBEAR_ECC + bool "Elliptic curve cryptography (ECC)" + default n + help + Enables elliptic curve cryptography (ECC) support in key exchange and public key + authentication. + + Key exchange algorithms: + ecdh-sha2-nistp256 + ecdh-sha2-nistp384 + ecdh-sha2-nistp521 + curve25519-sha256@libssh.org + + Public key algorithms: + ecdsa-sha2-nistp256 + ecdsa-sha2-nistp384 + ecdsa-sha2-nistp521 + + Does not generate ECC host keys by default (ECC key exchange will not be used, + only ECC public key auth). + + Increases binary size by about 36 kB (MIPS). + +endmenu diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile new file mode 100644 index 0000000..4515165 --- /dev/null +++ b/package/network/services/dropbear/Makefile @@ -0,0 +1,128 @@ +# +# Copyright (C) 2006-2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=dropbear +PKG_VERSION:=2015.68 +PKG_RELEASE:=3 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:= \ + http://matt.ucc.asn.au/dropbear/releases/ \ + https://dropbear.nl/mirror/releases/ +PKG_MD5SUM:=7664ac10f7cc2301c530eb80c756fc5d + +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE + +PKG_BUILD_PARALLEL:=1 +PKG_USE_MIPS16:=0 + +PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC + +include $(INCLUDE_DIR)/package.mk + +define Package/dropbear/Default + URL:=http://matt.ucc.asn.au/dropbear/ +endef + +define Package/dropbear/config + source "$(SOURCE)/Config.in" +endef + +define Package/dropbear + $(call Package/dropbear/Default) + SECTION:=net + CATEGORY:=Base system + TITLE:=Small SSH2 client/server +endef + +define Package/dropbear/description + A small SSH2 server/client designed for small memory environments. +endef + +define Package/dropbear/conffiles +/etc/dropbear/dropbear_rsa_host_key +/etc/config/dropbear +endef + +define Package/dropbearconvert + $(call Package/dropbear/Default) + SECTION:=utils + CATEGORY:=Utilities + TITLE:=Utility for converting SSH keys +endef + +CONFIGURE_ARGS += \ + --disable-pam \ + --enable-openpty \ + --enable-syslog \ + $(if $(CONFIG_SHADOW_PASSWORDS),,--disable-shadow) \ + --disable-lastlog \ + --disable-utmp \ + --disable-utmpx \ + --disable-wtmp \ + --disable-wtmpx \ + --disable-loginfunc \ + --disable-pututline \ + --disable-pututxline \ + --disable-zlib \ + --enable-bundled-libtom + +TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections + +define Build/Configure + $(Build/Configure/Default) + + # Enforce that all replacements are made, otherwise options.h has changed + # format and this logic is broken. + for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \ + awk 'BEGIN { rc = 1 } \ + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ + { print } \ + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ + >$(PKG_BUILD_DIR)/options.h.new && \ + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ + done +endef + +define Build/Compile + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + $(TARGET_CONFIGURE_OPTS) \ + PROGRAMS="dropbear dbclient dropbearkey scp" \ + MULTI=1 SCPPROGRESS=1 + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + $(TARGET_CONFIGURE_OPTS) \ + PROGRAMS="dropbearconvert" +endef + +define Package/dropbear/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear + $(INSTALL_DIR) $(1)/usr/bin + $(LN) ../sbin/dropbear $(1)/usr/bin/scp + $(LN) ../sbin/dropbear $(1)/usr/bin/ssh + $(LN) ../sbin/dropbear $(1)/usr/bin/dbclient + $(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/dropbear.config $(1)/etc/config/dropbear + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear + $(INSTALL_DIR) $(1)/usr/lib/opkg/info + $(INSTALL_DIR) $(1)/etc/dropbear + touch $(1)/etc/dropbear/dropbear_rsa_host_key +endef + +define Package/dropbearconvert/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearconvert $(1)/usr/bin/dropbearconvert +endef + +$(eval $(call BuildPackage,dropbear)) +$(eval $(call BuildPackage,dropbearconvert)) diff --git a/package/network/services/dropbear/files/dropbear.config b/package/network/services/dropbear/files/dropbear.config new file mode 100644 index 0000000..2139ba0 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.config @@ -0,0 +1,5 @@ +config dropbear + option PasswordAuth 'on' + option RootPasswordAuth 'on' + option Port '22' +# option BannerFile '/etc/banner' diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init new file mode 100755 index 0000000..03745c9 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.init @@ -0,0 +1,178 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2010 OpenWrt.org +# Copyright (C) 2006 Carlos Sobrinho + +START=50 +STOP=50 + +USE_PROCD=1 +PROG=/usr/sbin/dropbear +NAME=dropbear +PIDCOUNT=0 +EXTRA_COMMANDS="killclients" +EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself" + +append_ports() +{ + local ipaddrs="$1" + local port="$2" + + [ -z "$ipaddrs" ] && { + procd_append_param command -p "$port" + return + } + + for addr in $ipaddrs; do + procd_append_param command -p "$addr:$port" + done +} + +validate_section_dropbear() +{ + uci_validate_section dropbear dropbear "${1}" \ + 'PasswordAuth:bool:1' \ + 'enable:bool:1' \ + 'Interface:string' \ + 'GatewayPorts:bool:0' \ + 'RootPasswordAuth:bool:1' \ + 'RootLogin:bool:1' \ + 'rsakeyfile:file' \ + 'BannerFile:file' \ + 'Port:list(port):22' \ + 'SSHKeepAlive:uinteger:300' \ + 'IdleTimeout:uinteger:0' \ + 'mdns:uinteger:1' +} + +dropbear_instance() +{ + local PasswordAuth enable Interface GatewayPorts \ + RootPasswordAuth RootLogin rsakeyfile \ + BannerFile Port SSHKeepAlive IdleTimeout \ + mdns ipaddrs + + validate_section_dropbear "${1}" || { + echo "validation failed" + return 1 + } + + [ -n "${Interface}" ] && { + network_get_ipaddrs_all ipaddrs "${Interface}" || { + echo "interface ${Interface} has no physdev or physdev has no suitable ip" + return 1 + } + } + + [ "${enable}" = "0" ] && return 1 + PIDCOUNT="$(( ${PIDCOUNT} + 1))" + local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid" + + procd_open_instance + procd_set_param command "$PROG" -F -P "$pid_file" + [ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s + [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a + [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g + [ "${RootLogin}" -eq 0 ] && procd_append_param command -w + [ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}" + [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}" + append_ports "${ipaddrs}" "${Port}" + [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}" + [ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}" + [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear" + procd_set_param respawn + procd_close_instance +} + +keygen() +{ + for keytype in rsa; do + # check for keys + key=dropbear/dropbear_${keytype}_host_key + [ -f /tmp/$key -o -s /etc/$key ] || { + # generate missing keys + mkdir -p /tmp/dropbear + [ -x /usr/bin/dropbearkey ] && { + /usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start + } & + exit 0 + } + done + + lock /tmp/.switch2jffs + mkdir -p /etc/dropbear + mv /tmp/dropbear/dropbear_* /etc/dropbear/ + lock -u /tmp/.switch2jffs + chown root /etc/dropbear + chmod 0700 /etc/dropbear +} + +start_service() +{ + [ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen + + . /lib/functions.sh + . /lib/functions/network.sh + + config_load "${NAME}" + config_foreach dropbear_instance dropbear +} + +service_triggers() +{ + procd_add_reload_trigger "dropbear" + procd_add_validation validate_section_dropbear +} + +killclients() +{ + local ignore='' + local server + local pid + + # if this script is run from inside a client session, then ignore that session + pid="$$" + while [ "${pid}" -ne 0 ] + do + # get parent process id + pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"` + [ "${pid}" -eq 0 ] && break + + # check if client connection + grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && { + append ignore "${pid}" + break + } + done + + # get all server pids that should be ignored + for server in `cat /var/run/${NAME}.*.pid` + do + append ignore "${server}" + done + + # get all running pids and kill client connections + local skip + for pid in `pidof "${NAME}"` + do + # check if correct program, otherwise process next pid + grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || { + continue + } + + # check if pid should be ignored (servers, ourself) + skip=0 + for server in ${ignore} + do + if [ "${pid}" = "${server}" ] + then + skip=1 + break + fi + done + [ "${skip}" -ne 0 ] && continue + + # kill process + echo "${initscript}: Killing ${pid}..." + kill -KILL ${pid} + done +} diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch new file mode 100644 index 0000000..41fdc1a --- /dev/null +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -0,0 +1,91 @@ +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig + goto out; + } + +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); +- +- /* open the file */ +- authfile = fopen(filename, "r"); ++ if (ses.authstate.pw_uid != 0) { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); ++ ++ /* open the file */ ++ authfile = fopen(filename, "r"); ++ } else { ++ authfile = fopen("/etc/dropbear/authorized_keys","r"); ++ } + if (authfile == NULL) { + goto out; + } +@@ -381,26 +385,35 @@ static int checkpubkeyperms() { + goto out; + } + +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); +- +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ } else { ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); ++ ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + } + + /* file looks ok, return success */ diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch new file mode 100644 index 0000000..4b5c1cb --- /dev/null +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -0,0 +1,18 @@ +--- a/svr-chansession.c ++++ b/svr-chansession.c +@@ -922,12 +922,12 @@ static void execchild(void *user_data) { + /* We can only change uid/gid as root ... */ + if (getuid() == 0) { + +- if ((setgid(ses.authstate.pw_gid) < 0) || ++ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) || + (initgroups(ses.authstate.pw_name, +- ses.authstate.pw_gid) < 0)) { ++ ses.authstate.pw_gid) < 0))) { + dropbear_exit("Error changing user group"); + } +- if (setuid(ses.authstate.pw_uid) < 0) { ++ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { + dropbear_exit("Error changing user"); + } + } else { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch new file mode 100644 index 0000000..87118ef --- /dev/null +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -0,0 +1,81 @@ +--- a/options.h ++++ b/options.h +@@ -41,7 +41,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -81,7 +81,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ + #define ENABLE_USER_ALGO_LIST +@@ -91,16 +91,16 @@ much traffic. */ + * Including multiple keysize variants the same cipher + * (eg AES256 as well as AES128) will result in a minimal size increase.*/ + #define DROPBEAR_AES128 +-#define DROPBEAR_3DES ++/*#define DROPBEAR_3DES*/ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256*/ ++/*#define DROPBEAR_TWOFISH128*/ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE ++/*#define DROPBEAR_ENABLE_CBC_MODE*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security +@@ -131,9 +131,9 @@ If you test it please contact the Dropbe + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC +-#define DROPBEAR_SHA2_256_HMAC +-#define DROPBEAR_SHA2_512_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ ++/*#define DROPBEAR_SHA2_256_HMAC*/ ++/*#define DROPBEAR_SHA2_512_HMAC*/ + #define DROPBEAR_MD5_HMAC + + /* You can also disable integrity. Don't bother disabling this if you're +@@ -146,7 +146,7 @@ If you test it please contact the Dropbe + * Removing either of these won't save very much space. + * SSH2 RFC Draft requires dss, recommends rsa */ + #define DROPBEAR_RSA +-#define DROPBEAR_DSS ++/*#define DROPBEAR_DSS*/ + /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ +@@ -189,7 +189,7 @@ If you test it please contact the Dropbe + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -231,7 +231,7 @@ Homedir is prepended unless path begins + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch new file mode 100644 index 0000000..edb2909 --- /dev/null +++ b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch @@ -0,0 +1,21 @@ +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv) + debug_trace = 1; + break; + #endif ++ case 'o': ++ next = &dummy; ++ case 'x': ++ break; + case 'F': + case 'e': + #ifndef ENABLE_USER_ALGO_LIST +@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv) + print_version(); + exit(EXIT_SUCCESS); + break; +- case 'o': + case 'b': + next = &dummy; + default: diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch new file mode 100644 index 0000000..667d69c --- /dev/null +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -0,0 +1,15 @@ +--- a/dbutil.h ++++ b/dbutil.h +@@ -88,7 +88,11 @@ int m_str_to_uint(const char* str, unsig + #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} + + /* Dropbear assertion */ +-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) ++#ifndef DROPBEAR_ASSERT_ENABLED ++#define DROPBEAR_ASSERT_ENABLED 0 ++#endif ++ ++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) + + /* Returns 0 if a and b have the same contents */ + int constant_time_memcmp(const void* a, const void *b, size_t n); diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch new file mode 100644 index 0000000..ccc2cb7 --- /dev/null +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch @@ -0,0 +1,14 @@ +--- a/options.h ++++ b/options.h +@@ -5,6 +5,11 @@ + #ifndef DROPBEAR_OPTIONS_H_ + #define DROPBEAR_OPTIONS_H_ + ++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) ++#define DROPBEAR_SERVER ++#define DROPBEAR_CLIENT ++#endif ++ + /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ + diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch new file mode 100644 index 0000000..f6880ef --- /dev/null +++ b/package/network/services/dropbear/patches/500-set-default-path.patch @@ -0,0 +1,11 @@ +--- a/options.h ++++ b/options.h +@@ -341,7 +341,7 @@ be overridden at runtime with -I. 0 disa + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +-#define DEFAULT_PATH "/usr/bin:/bin" ++#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" + + /* Some other defines (that mostly should be left alone) are defined + * in sysoptions.h */ diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch new file mode 100644 index 0000000..7c67b08 --- /dev/null +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -0,0 +1,11 @@ +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { + AUTH_METHOD_NONE_LEN) == 0) { + TRACE(("recv_msg_userauth_request: 'none' request")) + if (valid_user +- && svr_opts.allowblankpass ++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root")) + && !svr_opts.noauthpass + && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) + && ses.authstate.pw_passwd[0] == '\0') diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch new file mode 100644 index 0000000..ee6d273 --- /dev/null +++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch @@ -0,0 +1,18 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -475,6 +475,7 @@ void load_all_hostkeys() { + m_free(hostkey_file); + } + ++ if (svr_opts.num_hostkey_files <= 0) { + #ifdef DROPBEAR_RSA + loadhostkey(RSA_PRIV_FILENAME, 0); + #endif +@@ -486,6 +487,7 @@ void load_all_hostkeys() { + #ifdef DROPBEAR_ECDSA + loadhostkey(ECDSA_PRIV_FILENAME, 0); + #endif ++ } + + #ifdef DROPBEAR_DELAY_HOSTKEY + if (svr_opts.delay_hostkey) { |