diff options
9 files changed, 49 insertions, 48 deletions
diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh index 25627b66b2..754d290857 100755 --- a/package/base-files/files/bin/login.sh +++ b/package/base-files/files/bin/login.sh @@ -10,8 +10,7 @@ then else cat << EOF === IMPORTANT ============================ - Use 'passwd' to set your login password - this will disable telnet and enable SSH + Use 'passwd' to set your login password! ------------------------------------------ EOF fi diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login index 15dcbd884f..b12e31702a 100644 --- a/package/base-files/files/lib/preinit/99_10_failsafe_login +++ b/package/base-files/files/lib/preinit/99_10_failsafe_login @@ -1,9 +1,10 @@ #!/bin/sh -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications failsafe_netlogin () { - telnetd -l /bin/login.sh <> /dev/null 2>&1 + dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 } failsafe_shell() { diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8988e0db12..f140f36dcc 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2015.68 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index f3931b0ccc..805a0964ab 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -18,6 +18,17 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST +@@ -95,8 +95,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256*/ ++/*#define DROPBEAR_TWOFISH128*/ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ @@ -131,9 +131,9 @@ If you test it please contact the Dropbe * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch new file mode 100644 index 0000000000..7c67b086bb --- /dev/null +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -0,0 +1,11 @@ +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { + AUTH_METHOD_NONE_LEN) == 0) { + TRACE(("recv_msg_userauth_request: 'none' request")) + if (valid_user +- && svr_opts.allowblankpass ++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root")) + && !svr_opts.noauthpass + && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) + && ses.authstate.pw_passwd[0] == '\0') diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch new file mode 100644 index 0000000000..ee6d273344 --- /dev/null +++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch @@ -0,0 +1,18 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -475,6 +475,7 @@ void load_all_hostkeys() { + m_free(hostkey_file); + } + ++ if (svr_opts.num_hostkey_files <= 0) { + #ifdef DROPBEAR_RSA + loadhostkey(RSA_PRIV_FILENAME, 0); + #endif +@@ -486,6 +487,7 @@ void load_all_hostkeys() { + #ifdef DROPBEAR_ECDSA + loadhostkey(ECDSA_PRIV_FILENAME, 0); + #endif ++ } + + #ifdef DROPBEAR_DELAY_HOSTKEY + if (svr_opts.delay_hostkey) { diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in index 7b4cd99a5d..d961bfaaee 100644 --- a/package/utils/busybox/Config-defaults.in +++ b/package/utils/busybox/Config-defaults.in @@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD default n config BUSYBOX_DEFAULT_TELNET bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN bool default n config BUSYBOX_DEFAULT_TELNETD bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT bool default n diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index 9571d48bec..a65f44f8fe 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -110,7 +110,6 @@ define Package/busybox/install $(INSTALL_DIR) $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/* $(1)/ $(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron - $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug -rm -rf $(1)/lib64 diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet deleted file mode 100755 index a1d1cdf9b1..0000000000 --- a/package/utils/busybox/files/telnet +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006-2011 OpenWrt.org - -START=50 - -USE_PROCD=1 -PROG=/usr/sbin/telnetd - -has_root_pwd() { - local pwd=$([ -f "$1" ] && cat "$1") - pwd="${pwd#*root:}" - pwd="${pwd%%:*}" - - test -n "${pwd#[\!x]}" -} - -get_root_home() { - local homedir=$([ -f "$1" ] && cat "$1") - homedir="${homedir#*:*:0:0:*:}" - - echo "${homedir%%:*}" -} - -has_ssh_pubkey() { - ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \ - ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys ) -} - -start_service() { - if ( ! has_ssh_pubkey && \ - ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \ - ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null ); - then - procd_open_instance - procd_set_param command "$PROG" -F -l /bin/login.sh - procd_close_instance - fi -} |