70 lines
2.5 KiB
Diff
70 lines
2.5 KiB
Diff
From: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
Date: Tue, 27 Sep 2016 03:55:55 +0200
|
|
Subject: dropbear: add a failsafe mode that will always allow password-less root login
|
|
|
|
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
diff --git a/package/network/services/dropbear/patches/700-failsafe-mode.patch b/package/network/services/dropbear/patches/700-failsafe-mode.patch
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..c6e45423e2dba1258549a5bfe4b5a59ac32d73d8
|
|
--- /dev/null
|
|
+++ b/package/network/services/dropbear/patches/700-failsafe-mode.patch
|
|
@@ -0,0 +1,57 @@
|
|
+--- a/runopts.h
|
|
++++ b/runopts.h
|
|
+@@ -97,6 +97,8 @@ typedef struct svr_runopts {
|
|
+ int norootpass;
|
|
+ int allowblankpass;
|
|
+
|
|
++ int failsafe_mode;
|
|
++
|
|
+ #ifdef ENABLE_SVR_REMOTETCPFWD
|
|
+ int noremotetcp;
|
|
+ #endif
|
|
+--- a/svr-auth.c
|
|
++++ b/svr-auth.c
|
|
+@@ -149,10 +149,11 @@ void recv_msg_userauth_request() {
|
|
+ AUTH_METHOD_NONE_LEN) == 0) {
|
|
+ TRACE(("recv_msg_userauth_request: 'none' request"))
|
|
+ if (valid_user
|
|
+- && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
|
|
+- && !svr_opts.noauthpass
|
|
+- && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
|
|
+- && ses.authstate.pw_passwd[0] == '\0')
|
|
++ && ((svr_opts.failsafe_mode && !strcmp(ses.authstate.pw_name, "root"))
|
|
++ || ((svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
|
|
++ && !svr_opts.noauthpass
|
|
++ && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
|
|
++ && ses.authstate.pw_passwd[0] == '\0')))
|
|
+ {
|
|
+ dropbear_log(LOG_NOTICE,
|
|
+ "Auth succeeded with blank password for '%s' from %s",
|
|
+--- a/svr-runopts.c
|
|
++++ b/svr-runopts.c
|
|
+@@ -72,6 +72,7 @@ static void printhelp(const char * progn
|
|
+ "-s Disable password logins\n"
|
|
+ "-g Disable password logins for root\n"
|
|
+ "-B Allow blank password logins\n"
|
|
++ "-f Failsafe mode: always allow password-less root login\n"
|
|
+ #endif
|
|
+ #ifdef ENABLE_SVR_LOCALTCPFWD
|
|
+ "-j Disable local port forwarding\n"
|
|
+@@ -130,6 +131,7 @@ void svr_getopts(int argc, char ** argv)
|
|
+ svr_opts.noauthpass = 0;
|
|
+ svr_opts.norootpass = 0;
|
|
+ svr_opts.allowblankpass = 0;
|
|
++ svr_opts.failsafe_mode = 0;
|
|
+ svr_opts.inetdmode = 0;
|
|
+ svr_opts.portcount = 0;
|
|
+ svr_opts.hostkey = NULL;
|
|
+@@ -244,6 +246,9 @@ void svr_getopts(int argc, char ** argv)
|
|
+ case 'B':
|
|
+ svr_opts.allowblankpass = 1;
|
|
+ break;
|
|
++ case 'f':
|
|
++ svr_opts.failsafe_mode = 1;
|
|
++ break;
|
|
+ #endif
|
|
+ case 'h':
|
|
+ printhelp(argv[0]);
|