Mercurial > dropbear
changeset 1921:284c3837891c
Allow user space file locations (rootless support)
Why:
Running dropbear as a user (rootless) is aided if
files and programs can be saved/removed without
needing sudo.
What:
Use the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY;
if not starting with '/', then is relative to hedge's /home/hedge:
*_PRIV_FILENAME
DROPBEAR_PIDFILE
SFTPSERVER_PATH
default_options.h commentary added.
Changes kept to a minimum, so log entry in svr_kex.c#163
is refactored.
From:
Generated hostkey is <path> ... <finger-print>
to:
Generated hostkey path is <path>
Generated hostkey fingerprint is <fp>
Otherwise the unexpanded path was reported.
Patch modified by Matt Johnston
Signed-off-by: Begley Brothers Inc <[email protected]>
author | Begley Brothers Inc <begleybrothers@gmail.com> |
---|---|
date | Thu, 09 Jul 2020 17:47:58 +1000 |
parents | 1489449eceb1 |
children | 70f05f7d4d11 |
files | CHANGES default_options.h svr-chansession.c svr-kex.c svr-runopts.c |
diffstat | 5 files changed, 42 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES Wed Mar 30 12:56:09 2022 +0800 +++ b/CHANGES Thu Jul 09 17:47:58 2020 +1000 @@ -1,3 +1,10 @@ +- The following config paths are now relative to a home directory if + starting with "~". Thanks to Begley Brothers Inc + *_PRIV_FILENAME + DROPBEAR_PIDFILE + SFTPSERVER_PATH + MOTD_FILENAME + 2020.81 - 29 October 2020 - Fix regression in 2020.79 which prevented connecting with some SSH
--- a/default_options.h Wed Mar 30 12:56:09 2022 +0800 +++ b/default_options.h Thu Jul 09 17:47:58 2020 +1000 @@ -18,7 +18,9 @@ /* Listen on all interfaces */ #define DROPBEAR_DEFADDRESS "" -/* Default hostkey paths - these can be specified on the command line */ +/* Default hostkey paths - these can be specified on the command line. + * Homedir is prepended if path begins with ~ + */ #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" @@ -231,9 +233,10 @@ #define DROPBEAR_CLI_PASSWORD_AUTH 1 #define DROPBEAR_CLI_PUBKEY_AUTH 1 -/* A default argument for dbclient -i <privatekey>. -Homedir is prepended unless path begins with / */ -#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" +/* A default argument for dbclient -i <privatekey>. + * Homedir is prepended if path begins with ~ + */ +#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear" /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD * environment variable. */ @@ -275,7 +278,9 @@ #define UNAUTH_CLOSE_DELAY 0 /* The default file to store the daemon's process ID, for shutdown - scripts etc. This can be overridden with the -P flag */ + * scripts etc. This can be overridden with the -P flag. + * Homedir is prepended if path begins with ~ + */ #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" /* The command to invoke for xauth when using X11 forwarding. @@ -283,9 +288,11 @@ #define XAUTH_COMMAND "/usr/bin/xauth -q" -/* if you want to enable running an sftp server (such as the one included with +/* If you want to enable running an sftp server (such as the one included with * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. - * The sftp-server program is not provided by Dropbear itself */ + * The sftp-server program is not provided by Dropbear itself. + * Homedir is prepended if path begins with ~ + */ #define DROPBEAR_SFTPSERVER 1 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
--- a/svr-chansession.c Wed Mar 30 12:56:09 2022 +0800 +++ b/svr-chansession.c Thu Jul 09 17:47:58 2020 +1000 @@ -685,8 +685,10 @@ if (issubsys) { #if DROPBEAR_SFTPSERVER if ((cmdlen == 4) && strncmp(chansess->cmd, "sftp", 4) == 0) { + char *expand_path = expand_homedir_path(SFTPSERVER_PATH); m_free(chansess->cmd); - chansess->cmd = m_strdup(SFTPSERVER_PATH); + chansess->cmd = m_strdup(expand_path); + m_free(expand_path); } else #endif {
--- a/svr-kex.c Wed Mar 30 12:56:09 2022 +0800 +++ b/svr-kex.c Thu Jul 09 17:47:58 2020 +1000 @@ -106,6 +106,7 @@ static void svr_ensure_hostkey() { const char* fn = NULL; + char *expand_fn = NULL; enum signkey_type type = ses.newkeys->algo_hostkey; void **hostkey = signkey_key_ptr(svr_opts.hostkey, type); int ret = DROPBEAR_FAILURE; @@ -142,15 +143,19 @@ dropbear_assert(0); } - if (readhostkey(fn, svr_opts.hostkey, &type) == DROPBEAR_SUCCESS) { - return; + expand_fn = expand_homedir_path(fn); + + ret = readhostkey(expand_fn, svr_opts.hostkey, &type); + if (ret == DROPBEAR_SUCCESS) { + goto out; } - if (signkey_generate(type, 0, fn, 1) == DROPBEAR_FAILURE) { + if (signkey_generate(type, 0, expand_fn, 1) == DROPBEAR_FAILURE) { goto out; } - ret = readhostkey(fn, svr_opts.hostkey, &type); + /* Read what we just generated (or another process raced us) */ + ret = readhostkey(expand_fn, svr_opts.hostkey, &type); if (ret == DROPBEAR_SUCCESS) { char *fp = NULL; @@ -161,16 +166,16 @@ len = key_buf->len - key_buf->pos; fp = sign_key_fingerprint(buf_getptr(key_buf, len), len); dropbear_log(LOG_INFO, "Generated hostkey %s, fingerprint is %s", - fn, fp); + expand_fn, fp); m_free(fp); buf_free(key_buf); } out: - if (ret == DROPBEAR_FAILURE) - { - dropbear_exit("Couldn't read or generate hostkey %s", fn); + if (ret == DROPBEAR_FAILURE) { + dropbear_exit("Couldn't read or generate hostkey %s", expand_fn); } + m_free(expand_fn); } #endif
--- a/svr-runopts.c Wed Mar 30 12:56:09 2022 +0800 +++ b/svr-runopts.c Thu Jul 09 17:47:58 2020 +1000 @@ -163,7 +163,7 @@ svr_opts.portcount = 0; svr_opts.hostkey = NULL; svr_opts.delay_hostkey = 0; - svr_opts.pidfile = DROPBEAR_PIDFILE; + svr_opts.pidfile = expand_homedir_path(DROPBEAR_PIDFILE); #if DROPBEAR_SVR_LOCALTCPFWD svr_opts.nolocaltcp = 0; #endif @@ -530,12 +530,14 @@ /* Must be called after syslog/etc is working */ static void loadhostkey(const char *keyfile, int fatal_duplicate) { sign_key * read_key = new_sign_key(); + char *expand_path = expand_homedir_path(keyfile); enum signkey_type type = DROPBEAR_SIGNKEY_ANY; - if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) { + if (readhostkey(expand_path, read_key, &type) == DROPBEAR_FAILURE) { if (!svr_opts.delay_hostkey) { - dropbear_log(LOG_WARNING, "Failed loading %s", keyfile); + dropbear_log(LOG_WARNING, "Failed loading %s", expand_path); } } + m_free(expand_path); #if DROPBEAR_RSA if (type == DROPBEAR_SIGNKEY_RSA) {