# HG changeset patch # User Matt Johnston # Date 1369564937 -28800 # Node ID 0e17269254b6908f7d5643a5cf497d3e32a8aedb # Parent d7784616409a427f3bc6eb9e0d3f8b942404fe5b# Parent 7bd88d546627ff31d0e2d91e6022b3e77a943efb merge diff -r d7784616409a -r 0e17269254b6 .hgsigs --- a/.hgsigs Sun May 26 18:39:24 2013 +0800 +++ b/.hgsigs Sun May 26 18:42:17 2013 +0800 @@ -3,3 +3,4 @@ 85f835f2fe0ac2c503c50a414de127222fb0a57c 0 iD8DBQBPRkMUjPn4sExkf7wRAvM4AJ9mw2OAkyjhSbamM1MizlEJUX18HACgoFKQkYf6BnYxN34Nv2HhM0cmzUc= 9b80981212fe6c01b7c16b3ca7c4e66af56f12f1 0 iEYEABECAAYFAlFLKKcACgkQjPn4sExkf7xK7wCfcioCmJPsysSbQO6+4qZMVe0mmLwAn2/o+wRf4MrUXlohrr7aXEF9vdSB 095b46180bbc412b029420587736a6185afc17e1 0 iEYEABECAAYFAlFsCnkACgkQjPn4sExkf7xLrwCfeMWjUaSmfU/fvseT5TdrYRqBEVQAoLz5SFLEA40C5f8zE8Ma/vgVJVIC +f168962bab857ca030829e4cd73d9b32c868c874 0 iEYEABECAAYFAlFwDNwACgkQjPn4sExkf7wJ6QCePVovn/avKXUyNwNBYCcov6JLYqkAnRCPQdkXgv20N3t10r6PRMBBo1/S diff -r d7784616409a -r 0e17269254b6 .hgtags --- a/.hgtags Sun May 26 18:39:24 2013 +0800 +++ b/.hgtags Sun May 26 18:42:17 2013 +0800 @@ -37,3 +37,4 @@ 0000000000000000000000000000000000000000 t:ltc-0.95-db-merge1 1b8b2b9d6e94bc3cc5e61b620476ea36cc466e1b DROPBEAR_2013.56 96b8bcb88017815040949a417caa55686271e8a9 DROPBEAR_2013.57 +e76614145aea67f66e4a4257685c771efba21aa1 DROPBEAR_2013.58 diff -r d7784616409a -r 0e17269254b6 CHANGES --- a/CHANGES Sun May 26 18:39:24 2013 +0800 +++ b/CHANGES Sun May 26 18:42:17 2013 +0800 @@ -1,3 +1,14 @@ +2013.58 - Thursday 18 April 2013 + +- Fix building with Zlib disabled, thanks to Hans Harder and cuma@freetz + +- Use % as a separator for ports, fixes scp in multihop mode, from Hans Harder + +- Reject logins for other users when running as non-root, from Hans Harder + +- Disable client immediate authentication request by default, it prevents + passwordless logins from working + 2013.57 - Monday 15 April 2013 - Decreased connection setup time particularly with high latency connections, @@ -20,7 +31,7 @@ ~^Z (background session) - Server will more reliably clean up utmp when connection is closed, reported by - Mattias Walström + Mattias Walström - Don't crash if /dev/urandom isn't writable (RHEL5), thanks to Scott Case @@ -60,10 +71,10 @@ - Allow using IPv6 bracket notation for addresses in server "-p" option, from Ben Jencks -- A few improvements for Android from Reimar Döffinger +- A few improvements for Android from Reimar Döffinger - Fix memory leak for TCP forwarded connections to hosts that timed out, - reported by Norbert Benczúr. Appears to be a very long-standing bug. + reported by Norbert Benczúr. Appears to be a very long-standing bug. - Fix "make clean" for out of tree builds @@ -689,7 +700,7 @@ Lobenstock and Mihnea Stoenescu - Use daemon() function if available (or our own copy) rather than separate - code (thanks to Frédéric Lavernhe for the report and debugging, and Bernard + code (thanks to Frédéric Lavernhe for the report and debugging, and Bernard Blackham for his suggestion on what to look at) - Fixed up support for first_kex_packet_follows, required to talk to ssh.com @@ -808,7 +819,7 @@ - Various signedness fixes - Can listen on multiple ports - added option to disable openpty with configure script, - (from K.-P. Kirchdörfer ) + (from K.-P. Kirchdörfer ) - Various cleanups to bignum code (thanks to Tom St Denis ) - Fix compile error when disabling RSA diff -r d7784616409a -r 0e17269254b6 cli-runopts.c --- a/cli-runopts.c Sun May 26 18:39:24 2013 +0800 +++ b/cli-runopts.c Sun May 26 18:42:17 2013 +0800 @@ -610,7 +610,11 @@ cli_opts.username = m_strdup(cli_opts.own_user); } - port = strchr(cli_opts.remotehost, '/'); + port = strchr(cli_opts.remotehost, '%'); + if (!port) { + // legacy separator + port = strchr(cli_opts.remotehost, '/'); + } if (port) { *port = '\0'; cli_opts.remoteport = port+1; diff -r d7784616409a -r 0e17269254b6 dbclient.1 --- a/dbclient.1 Sun May 26 18:39:24 2013 +0800 +++ b/dbclient.1 Sun May 26 18:42:17 2013 +0800 @@ -15,7 +15,7 @@ .B dbclient [ .I args ] -.I [user1]@host1[/port1],[user2]@host2[/port2],... +.I [user1]@host1[%port1],[user2]@host2[%port2],... .SH DESCRIPTION .B dbclient @@ -24,10 +24,9 @@ .SH OPTIONS .TP .B \-p \fIport -Remote port. -Connect to port +Connect to .I port -on the remote host. +on the remote host. Alternatively a port can be specified as hostname%port. Default is 22. .TP .B \-i \fIidfile @@ -127,7 +126,7 @@ this case a connection will be made to the first host, then a TCP forwarded connection will be made through that to the second host, and so on. Hosts other than the final destination will not see anything other than the encrypted SSH stream. -A port for a host can be specified with a slash (eg matt@martello/44 ). +A port for a host can be specified with a hash (eg matt@martello%44 ). This syntax can also be used with scp or rsync (specifying dbclient as the ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg diff -r d7784616409a -r 0e17269254b6 debian/changelog --- a/debian/changelog Sun May 26 18:39:24 2013 +0800 +++ b/debian/changelog Sun May 26 18:42:17 2013 +0800 @@ -1,3 +1,9 @@ +dropbear (2013.58-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston Thu, 18 Apr 2013 22:54:00 +0800 + dropbear (2013.57-0.1) unstable; urgency=low * New upstream release. diff -r d7784616409a -r 0e17269254b6 options.h --- a/options.h Sun May 26 18:39:24 2013 +0800 +++ b/options.h Sun May 26 18:42:17 2013 +0800 @@ -204,6 +204,13 @@ * return the password on standard output */ /*#define ENABLE_CLI_ASKPASS_HELPER*/ +/* Send a real auth request first rather than requesting a list of available methods. + * It saves a network round trip at login but prevents immediate login to + * accounts with no password, and might be rejected by some strict servers (none + * encountered yet) - hence it isn't enabled by default. */ +/* #define CLI_IMMEDIATE_AUTH */ + + /* Source for randomness. This must be able to provide hundreds of bytes per SSH * connection without blocking. In addition /dev/random is used for seeding * rsa/dss key generation */ diff -r d7784616409a -r 0e17269254b6 svr-authpasswd.c --- a/svr-authpasswd.c Sun May 26 18:39:24 2013 +0800 +++ b/svr-authpasswd.c Sun May 26 18:42:17 2013 +0800 @@ -66,6 +66,14 @@ m_burn(password, passwordlen); m_free(password); + if (testcrypt == NULL) { + /* crypt() with an invalid salt like "!!" */ + dropbear_log(LOG_WARNING, "User account '%s' is locked", + ses.authstate.pw_name); + send_msg_userauth_failure(0, 1); + return; + } + /* check for empty password */ if (passwdcrypt[0] == '\0') { dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", diff -r d7784616409a -r 0e17269254b6 sysoptions.h --- a/sysoptions.h Sun May 26 18:39:24 2013 +0800 +++ b/sysoptions.h Sun May 26 18:42:17 2013 +0800 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2013.57" +#define DROPBEAR_VERSION "2013.58" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION @@ -198,9 +198,6 @@ #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ #endif -/* Send an auth request straight away rather than trying "none" type to get a list */ -#define CLI_IMMEDIATE_AUTH - /* Changing this is inadvisable, it appears to have problems * with flushing compressed data */ #define DROPBEAR_ZLIB_MEM_LEVEL 8