Mercurial > dropbear
changeset 1821:df8d8ec1801c
added option to disable trivial auth methods (#128)
* added option to disable trivial auth methods
* rename argument to match with other ssh clients
* fixed trivial auth detection for pubkeys
| author | Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> |
|---|---|
| date | Thu, 19 Aug 2021 17:37:14 +0200 |
| parents | e9854650d45b |
| children | fa6ff07dcc77 |
| files | cli-auth.c cli-authinteract.c cli-authpasswd.c cli-authpubkey.c cli-runopts.c cli-session.c runopts.h session.h |
| diffstat | 8 files changed, 16 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/cli-auth.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-auth.c Thu Aug 19 17:37:14 2021 +0200 @@ -261,6 +261,9 @@ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ TRACE(("received msg_userauth_success")) + if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { + dropbear_exit("trivial authentication not allowed"); + } /* Note: in delayed-zlib mode, setting authdone here * will enable compression in the transport layer */ ses.authstate.authdone = 1;
--- a/cli-authinteract.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-authinteract.c Thu Aug 19 17:37:14 2021 +0200 @@ -114,6 +114,7 @@ m_free(instruction); for (i = 0; i < num_prompts; i++) { + cli_ses.is_trivial_auth = 0; unsigned int response_len = 0; prompt = buf_getstring(ses.payload, NULL); cleantext(prompt);
--- a/cli-authpasswd.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-authpasswd.c Thu Aug 19 17:37:14 2021 +0200 @@ -155,7 +155,7 @@ encrypt_packet(); m_burn(password, strlen(password)); - + cli_ses.is_trivial_auth = 0; TRACE(("leave cli_auth_password")) } #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
--- a/cli-authpubkey.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-authpubkey.c Thu Aug 19 17:37:14 2021 +0200 @@ -176,6 +176,7 @@ buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); buf_free(sigbuf); /* Nothing confidential in the buffer */ + cli_ses.is_trivial_auth = 0; } encrypt_packet();
--- a/cli-runopts.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-runopts.c Thu Aug 19 17:37:14 2021 +0200 @@ -152,6 +152,7 @@ #if DROPBEAR_CLI_ANYTCPFWD cli_opts.exit_on_fwd_failure = 0; #endif + cli_opts.disable_trivial_auth = 0; #if DROPBEAR_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -889,6 +890,7 @@ #if DROPBEAR_CLI_ANYTCPFWD "\tExitOnForwardFailure\n" #endif + "\tDisableTrivialAuth\n" #ifndef DISABLE_SYSLOG "\tUseSyslog\n" #endif @@ -916,5 +918,10 @@ return; } + if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { + cli_opts.disable_trivial_auth = parse_flag_value(optstr); + return; + } + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); }
--- a/cli-session.c Thu Aug 19 23:17:34 2021 +0800 +++ b/cli-session.c Thu Aug 19 17:37:14 2021 +0200 @@ -165,6 +165,7 @@ /* Auth */ cli_ses.lastprivkey = NULL; cli_ses.lastauthtype = 0; + cli_ses.is_trivial_auth = 1; /* For printing "remote host closed" for the user */ ses.remoteclosed = cli_remoteclosed;
--- a/runopts.h Thu Aug 19 23:17:34 2021 +0800 +++ b/runopts.h Thu Aug 19 17:37:14 2021 +0200 @@ -161,6 +161,7 @@ #if DROPBEAR_CLI_ANYTCPFWD int exit_on_fwd_failure; #endif + int disable_trivial_auth; #if DROPBEAR_CLI_REMOTETCPFWD m_list * remotefwds; #endif
--- a/session.h Thu Aug 19 23:17:34 2021 +0800 +++ b/session.h Thu Aug 19 17:37:14 2021 +0200 @@ -316,6 +316,7 @@ int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, for the last type of auth we tried */ + int is_trivial_auth; int ignore_next_auth_response; #if DROPBEAR_CLI_INTERACT_AUTH int auth_interact_failed; /* flag whether interactive auth can still