# HG changeset patch # User Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> # Date 1629387434 -7200 # Node ID df8d8ec1801cd1864dbec2e55d72f15e2c4f732e # Parent e9854650d45b144306e6323607287a5ff2c48cbc added option to disable trivial auth methods (#128) * added option to disable trivial auth methods * rename argument to match with other ssh clients * fixed trivial auth detection for pubkeys diff -r e9854650d45b -r df8d8ec1801c cli-auth.c --- a/cli-auth.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-auth.c Thu Aug 19 17:37:14 2021 +0200 @@ -261,6 +261,9 @@ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ TRACE(("received msg_userauth_success")) + if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { + dropbear_exit("trivial authentication not allowed"); + } /* Note: in delayed-zlib mode, setting authdone here * will enable compression in the transport layer */ ses.authstate.authdone = 1; diff -r e9854650d45b -r df8d8ec1801c cli-authinteract.c --- a/cli-authinteract.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-authinteract.c Thu Aug 19 17:37:14 2021 +0200 @@ -114,6 +114,7 @@ m_free(instruction); for (i = 0; i < num_prompts; i++) { + cli_ses.is_trivial_auth = 0; unsigned int response_len = 0; prompt = buf_getstring(ses.payload, NULL); cleantext(prompt); diff -r e9854650d45b -r df8d8ec1801c cli-authpasswd.c --- a/cli-authpasswd.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-authpasswd.c Thu Aug 19 17:37:14 2021 +0200 @@ -155,7 +155,7 @@ encrypt_packet(); m_burn(password, strlen(password)); - + cli_ses.is_trivial_auth = 0; TRACE(("leave cli_auth_password")) } #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ diff -r e9854650d45b -r df8d8ec1801c cli-authpubkey.c --- a/cli-authpubkey.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-authpubkey.c Thu Aug 19 17:37:14 2021 +0200 @@ -176,6 +176,7 @@ buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); buf_free(sigbuf); /* Nothing confidential in the buffer */ + cli_ses.is_trivial_auth = 0; } encrypt_packet(); diff -r e9854650d45b -r df8d8ec1801c cli-runopts.c --- a/cli-runopts.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-runopts.c Thu Aug 19 17:37:14 2021 +0200 @@ -152,6 +152,7 @@ #if DROPBEAR_CLI_ANYTCPFWD cli_opts.exit_on_fwd_failure = 0; #endif + cli_opts.disable_trivial_auth = 0; #if DROPBEAR_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -889,6 +890,7 @@ #if DROPBEAR_CLI_ANYTCPFWD "\tExitOnForwardFailure\n" #endif + "\tDisableTrivialAuth\n" #ifndef DISABLE_SYSLOG "\tUseSyslog\n" #endif @@ -916,5 +918,10 @@ return; } + if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { + cli_opts.disable_trivial_auth = parse_flag_value(optstr); + return; + } + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); } diff -r e9854650d45b -r df8d8ec1801c cli-session.c --- a/cli-session.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-session.c Thu Aug 19 17:37:14 2021 +0200 @@ -165,6 +165,7 @@ /* Auth */ cli_ses.lastprivkey = NULL; cli_ses.lastauthtype = 0; + cli_ses.is_trivial_auth = 1; /* For printing "remote host closed" for the user */ ses.remoteclosed = cli_remoteclosed; diff -r e9854650d45b -r df8d8ec1801c runopts.h --- a/runopts.h Thu Aug 19 23:17:34 2021 +0800 +++ b/runopts.h Thu Aug 19 17:37:14 2021 +0200 @@ -161,6 +161,7 @@ #if DROPBEAR_CLI_ANYTCPFWD int exit_on_fwd_failure; #endif + int disable_trivial_auth; #if DROPBEAR_CLI_REMOTETCPFWD m_list * remotefwds; #endif diff -r e9854650d45b -r df8d8ec1801c session.h --- a/session.h Thu Aug 19 23:17:34 2021 +0800 +++ b/session.h Thu Aug 19 17:37:14 2021 +0200 @@ -316,6 +316,7 @@ int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, for the last type of auth we tried */ + int is_trivial_auth; int ignore_next_auth_response; #if DROPBEAR_CLI_INTERACT_AUTH int auth_interact_failed; /* flag whether interactive auth can still