aboutsummaryrefslogtreecommitdiffstats
path: root/package
diff options
context:
space:
mode:
authorSteven Barth <cyrus@openwrt.org>2015-09-07 19:29:25 +0000
committerSteven Barth <cyrus@openwrt.org>2015-09-07 19:29:25 +0000
commitd196b1fc2eddf7cbab4351452b6fc9b41f15b142 (patch)
treeff881e04c6d2fbcd087a4b16ce3168099e59af04 /package
parentb850e1e59f5fff02e5719b6b196309f00d600304 (diff)
downloadupstream-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.tar.gz
upstream-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.tar.bz2
upstream-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.zip
Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root password is set (e.g. after reset, flashing without keeping config or in failsafe) and removes telnet support alltogether. Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46809
Diffstat (limited to 'package')
-rwxr-xr-xpackage/base-files/files/bin/login.sh3
-rw-r--r--package/base-files/files/lib/preinit/99_10_failsafe_login5
-rw-r--r--package/network/services/dropbear/Makefile2
-rw-r--r--package/network/services/dropbear/patches/120-openwrt_options.patch11
-rw-r--r--package/network/services/dropbear/patches/600-allow-blank-root-password.patch11
-rw-r--r--package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch18
-rw-r--r--package/utils/busybox/Config-defaults.in8
-rw-r--r--package/utils/busybox/Makefile1
-rwxr-xr-xpackage/utils/busybox/files/telnet38
9 files changed, 49 insertions, 48 deletions
diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh
index 25627b66b2..754d290857 100755
--- a/package/base-files/files/bin/login.sh
+++ b/package/base-files/files/bin/login.sh
@@ -10,8 +10,7 @@ then
else
cat << EOF
=== IMPORTANT ============================
- Use 'passwd' to set your login password
- this will disable telnet and enable SSH
+ Use 'passwd' to set your login password!
------------------------------------------
EOF
fi
diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login
index 15dcbd884f..b12e31702a 100644
--- a/package/base-files/files/lib/preinit/99_10_failsafe_login
+++ b/package/base-files/files/lib/preinit/99_10_failsafe_login
@@ -1,9 +1,10 @@
#!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
failsafe_netlogin () {
- telnetd -l /bin/login.sh <> /dev/null 2>&1
+ dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+ dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
}
failsafe_shell() {
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8988e0db12..f140f36dcc 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index f3931b0ccc..805a0964ab 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,6 +18,17 @@
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+
+ /* Enable CBC mode for ciphers. This has security issues though
+ * is the most compatible with older SSH implementations */
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644
index 0000000000..7c67b086bb
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+ AUTH_METHOD_NONE_LEN) == 0) {
+ TRACE(("recv_msg_userauth_request: 'none' request"))
+ if (valid_user
+- && svr_opts.allowblankpass
++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ && !svr_opts.noauthpass
+ && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
+ && ses.authstate.pw_passwd[0] == '\0')
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644
index 0000000000..ee6d273344
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+ m_free(hostkey_file);
+ }
+
++ if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+ loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+ loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++ }
+
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+ if (svr_opts.delay_hostkey) {
diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in
index 7b4cd99a5d..d961bfaaee 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
default n
config BUSYBOX_DEFAULT_TELNET
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
bool
default n
config BUSYBOX_DEFAULT_TELNETD
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
bool
default n
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 9571d48bec..a65f44f8fe 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -110,7 +110,6 @@ define Package/busybox/install
$(INSTALL_DIR) $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/* $(1)/
$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
- $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
-rm -rf $(1)/lib64
diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755
index a1d1cdf9b1..0000000000
--- a/package/utils/busybox/files/telnet
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
- local pwd=$([ -f "$1" ] && cat "$1")
- pwd="${pwd#*root:}"
- pwd="${pwd%%:*}"
-
- test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
- local homedir=$([ -f "$1" ] && cat "$1")
- homedir="${homedir#*:*:0:0:*:}"
-
- echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
- ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
- ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
- if ( ! has_ssh_pubkey && \
- ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
- ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
- then
- procd_open_instance
- procd_set_param command "$PROG" -F -l /bin/login.sh
- procd_close_instance
- fi
-}