dropbear: allow configuring blank password option at runtime

Instead of using IMAGE_FEATURES to control something within a recipe, allow this to be set at runtime, avoiding the need to rebuild dropbear when we want to change this option. First half of the fix for [YOCTO #2578]. (From OE-Core rev: 313039590171456b652fa7a2f5823c9b7060b20f) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2013-01-16 17:00:11 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-01-18 13:28:05 +0000
commit: 955568ddfad2e21b8ff680d84655b2c9d54c06f2 (patch)
tree: b36804be0c06ef9d2f914ea48f871986299604fe /meta/recipes-core
parent: 8ca0d592c5c266741ea00bc2629ef031506f834e (diff)
download: poky-955568ddfad2e21b8ff680d84655b2c9d54c06f2.tar.gz
3 files changed, 108 insertions, 23 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index aa313df316..3e430f22bf 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
 HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
 SECTION = "console/network"
-INC_PR = "r0"
+INC_PR = "r1"
 # some files are from other projects and have others license terms:
 #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
@@ -18,7 +18,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.gz \
                 file://dropbear-0.53.1-static_build_fix.patch \
                 file://configure.patch \
                 file://fix-2kb-keys.patch \
-                 ${@base_contains("DISTRO_TYPE", "debug", "file://allow-nopw.patch", "",d)} \
+                 file://nopw-option.patch \
                 file://init \
                 ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "
@@ -40,8 +40,6 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
 EXTRA_OECONF += "\
 ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
-DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
 do_install() {
        install -d ${D}${sysconfdir} \
                   ${D}${sysconfdir}/init.d \
diff --git a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch b/meta/recipes-core/dropbear/dropbear/allow-nopw.patch
deleted file mode 100644
index a175ee14da..0000000000
--- a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Enable blank password login function for new release dropbear.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Mei Lei <lei.mei@intel.com>
-diff --git a/options.h b/options.h
-index 73689ad..041ddaa 100644
--- a/options.h
-+++ b/options.h
-@@ -180,7 +180,7 @@ much traffic. */
-  * Public key logins are allowed for blank-password accounts regardless of this
-  * setting.  PAM is not affected by this setting, it uses the normal pam.d
-  * settings ('nullok' option) */
-/* #define ALLOW_BLANK_PASSWORD */
-+#define ALLOW_BLANK_PASSWORD
- 
- #define ENABLE_CLI_PASSWORD_AUTH
- #define ENABLE_CLI_PUBKEY_AUTH
diff --git a/meta/recipes-core/dropbear/dropbear/nopw-option.patch b/meta/recipes-core/dropbear/dropbear/nopw-option.patch
new file mode 100644
index 0000000000..e7fcbb3f69
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/nopw-option.patch
@@ -0,0 +1,106 @@
+Allow configuring "allow blank password option" at runtime
+Changes this from a compile-time switch to a command-line option.
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+Upstream-Status: Pending
+diff --git a/options.h b/options.h
+index 00f6179..b8d0ccb 100644
+--- a/options.h
+++ b/options.h
+@@ -176,12 +176,6 @@ much traffic. */
+ #define ENABLE_SVR_PUBKEY_OPTIONS
+ #endif
+ 
+-/* Define this to allow logging in to accounts that have no password specified.
+- * Public key logins are allowed for blank-password accounts regardless of this
+- * setting.  PAM is not affected by this setting, it uses the normal pam.d
+- * settings ('nullok' option) */
+-/* #define ALLOW_BLANK_PASSWORD */
+-
+ #define ENABLE_CLI_PASSWORD_AUTH
+ #define ENABLE_CLI_PUBKEY_AUTH
+ #define ENABLE_CLI_INTERACT_AUTH
+diff --git a/runopts.h b/runopts.h
+index 83b5861..126585b 100644
+--- a/runopts.h
+++ b/runopts.h
+@@ -85,6 +85,7 @@ typedef struct svr_runopts {
+ 
+        int noauthpass;
+        int norootpass;
+       int allowblankpass;
+ 
+ #ifdef ENABLE_SVR_REMOTETCPFWD
+        int noremotetcp;
+diff --git a/svr-authpasswd.c b/svr-authpasswd.c
+index 54b4889..d9b7928 100644
+--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
+@@ -29,6 +29,7 @@
+ #include "buffer.h"
+ #include "dbutil.h"
+ #include "auth.h"
+#include "runopts.h"
+ 
+ #ifdef ENABLE_SVR_PASSWORD_AUTH
+ 
+@@ -78,16 +79,17 @@ void svr_auth_password() {
+ 
+        /* check for empty password */
+        if (passwdcrypt[0] == '\0') {
+-#ifdef ALLOW_BLANK_PASSWORD
+-               if (passwordlen == 0) {
+-                       success_blank = 1;
+               if (svr_opts.allowblankpass) {
+                       if (passwordlen == 0) {
+                               success_blank = 1;
+                       }
+               }
+               else {
+                       dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
+                                       ses.authstate.pw_name);
+                       send_msg_userauth_failure(0, 1);
+                       return;
+                }
+-#else
+-               dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
+-                               ses.authstate.pw_name);
+-               send_msg_userauth_failure(0, 1);
+-               return;
+-#endif
+        }
+ 
+        if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) {
+diff --git a/svr-runopts.c b/svr-runopts.c
+index c6e3508..b39ffb2 100644
+--- a/svr-runopts.c
+++ b/svr-runopts.c
+@@ -63,6 +63,7 @@ static void printhelp(const char * progname) {
+ #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
+                                        "-s             Disable password logins\n"
+                                        "-g             Disable password logins for root\n"
+                                       "-B             Allow blank password logins\n"
+ #endif
+ #ifdef ENABLE_SVR_LOCALTCPFWD
+                                        "-j             Disable local port forwarding\n"
+@@ -115,6 +116,7 @@ void svr_getopts(int argc, char ** argv) {
+        svr_opts.norootlogin = 0;
+        svr_opts.noauthpass = 0;
+        svr_opts.norootpass = 0;
+       svr_opts.allowblankpass = 0;
+        svr_opts.inetdmode = 0;
+        svr_opts.portcount = 0;
+        svr_opts.hostkey = NULL;
+@@ -234,6 +236,9 @@ void svr_getopts(int argc, char ** argv) {
+                                case 'g':
+                                        svr_opts.norootpass = 1;
+                                        break;
+                               case 'B':
+                                       svr_opts.allowblankpass = 1;
+                                       break;
+ #endif
+                                case 'h':
+                                        printhelp(argv[0]);
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2013-01-16 17:00:11 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-01-18 13:28:05 +0000
commit	955568ddfad2e21b8ff680d84655b2c9d54c06f2 (patch)
tree	b36804be0c06ef9d2f914ea48f871986299604fe /meta/recipes-core
parent	8ca0d592c5c266741ea00bc2629ef031506f834e (diff)
download	poky-955568ddfad2e21b8ff680d84655b2c9d54c06f2.tar.gz

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index aa313df316..3e430f22bf 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
2	HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"	2	HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
3	SECTION = "console/network"	3	SECTION = "console/network"
4		4
5	INC_PR = "r0"	5	INC_PR = "r1"
6		6
7	# some files are from other projects and have others license terms:	7	# some files are from other projects and have others license terms:
8	# public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY	8	# public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
@@ -18,7 +18,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.gz \
18	file://dropbear-0.53.1-static_build_fix.patch \	18	file://dropbear-0.53.1-static_build_fix.patch \
19	file://configure.patch \	19	file://configure.patch \
20	file://fix-2kb-keys.patch \	20	file://fix-2kb-keys.patch \
21	${@base_contains("DISTRO_TYPE", "debug", "file://allow-nopw.patch", "",d)} \	21	file://nopw-option.patch \
22	file://init \	22	file://init \
23	${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "	23	${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "
24		24
@@ -40,8 +40,6 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
40	EXTRA_OECONF += "\	40	EXTRA_OECONF += "\
41	${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"	41	${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
42		42
43	DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
44
45	do_install() {	43	do_install() {
46	install -d ${D}${sysconfdir} \	44	install -d ${D}${sysconfdir} \
47	${D}${sysconfdir}/init.d \	45	${D}${sysconfdir}/init.d \


diff --git a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch b/meta/recipes-core/dropbear/dropbear/allow-nopw.patch deleted file mode 100644 index a175ee14da..0000000000 --- a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch +++ /dev/null
@@ -1,19 +0,0 @@
1	Enable blank password login function for new release dropbear.
2
3	Upstream-Status: Inappropriate [configuration]
4
5	Signed-off-by: Mei Lei <lei.mei@intel.com>
6
7	diff --git a/options.h b/options.h
8	index 73689ad..041ddaa 100644
9	--- a/options.h
10	+++ b/options.h
11	@@ -180,7 +180,7 @@ much traffic. */
12	* Public key logins are allowed for blank-password accounts regardless of this
13	* setting. PAM is not affected by this setting, it uses the normal pam.d
14	* settings ('nullok' option) */
15	-/* #define ALLOW_BLANK_PASSWORD */
16	+#define ALLOW_BLANK_PASSWORD
17
18	#define ENABLE_CLI_PASSWORD_AUTH
19	#define ENABLE_CLI_PUBKEY_AUTH


diff --git a/meta/recipes-core/dropbear/dropbear/nopw-option.patch b/meta/recipes-core/dropbear/dropbear/nopw-option.patch new file mode 100644 index 0000000000..e7fcbb3f69 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/nopw-option.patch
@@ -0,0 +1,106 @@
		1	Allow configuring "allow blank password option" at runtime
		2
		3	Changes this from a compile-time switch to a command-line option.
		4
		5	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		6
		7	Upstream-Status: Pending
		8
		9	diff --git a/options.h b/options.h
		10	index 00f6179..b8d0ccb 100644
		11	--- a/options.h
		12	+++ b/options.h
		13	@@ -176,12 +176,6 @@ much traffic. */
		14	#define ENABLE_SVR_PUBKEY_OPTIONS
		15	#endif
		16
		17	-/* Define this to allow logging in to accounts that have no password specified.
		18	- * Public key logins are allowed for blank-password accounts regardless of this
		19	- * setting. PAM is not affected by this setting, it uses the normal pam.d
		20	- * settings ('nullok' option) */
		21	-/* #define ALLOW_BLANK_PASSWORD */
		22	-
		23	#define ENABLE_CLI_PASSWORD_AUTH
		24	#define ENABLE_CLI_PUBKEY_AUTH
		25	#define ENABLE_CLI_INTERACT_AUTH
		26	diff --git a/runopts.h b/runopts.h
		27	index 83b5861..126585b 100644
		28	--- a/runopts.h
		29	+++ b/runopts.h
		30	@@ -85,6 +85,7 @@ typedef struct svr_runopts {
		31
		32	int noauthpass;
		33	int norootpass;
		34	+ int allowblankpass;
		35
		36	#ifdef ENABLE_SVR_REMOTETCPFWD
		37	int noremotetcp;
		38	diff --git a/svr-authpasswd.c b/svr-authpasswd.c
		39	index 54b4889..d9b7928 100644
		40	--- a/svr-authpasswd.c
		41	+++ b/svr-authpasswd.c
		42	@@ -29,6 +29,7 @@
		43	#include "buffer.h"
		44	#include "dbutil.h"
		45	#include "auth.h"
		46	+#include "runopts.h"
		47
		48	#ifdef ENABLE_SVR_PASSWORD_AUTH
		49
		50	@@ -78,16 +79,17 @@ void svr_auth_password() {
		51
		52	/* check for empty password */
		53	if (passwdcrypt[0] == '\0') {
		54	-#ifdef ALLOW_BLANK_PASSWORD
		55	- if (passwordlen == 0) {
		56	- success_blank = 1;
		57	+ if (svr_opts.allowblankpass) {
		58	+ if (passwordlen == 0) {
		59	+ success_blank = 1;
		60	+ }
		61	+ }
		62	+ else {
		63	+ dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
		64	+ ses.authstate.pw_name);
		65	+ send_msg_userauth_failure(0, 1);
		66	+ return;
		67	}
		68	-#else
		69	- dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
		70	- ses.authstate.pw_name);
		71	- send_msg_userauth_failure(0, 1);
		72	- return;
		73	-#endif
		74	}
		75
		76	if (success_blank \|\| strcmp(testcrypt, passwdcrypt) == 0) {
		77	diff --git a/svr-runopts.c b/svr-runopts.c
		78	index c6e3508..b39ffb2 100644
		79	--- a/svr-runopts.c
		80	+++ b/svr-runopts.c
		81	@@ -63,6 +63,7 @@ static void printhelp(const char * progname) {
		82	#if defined(ENABLE_SVR_PASSWORD_AUTH) \|\| defined(ENABLE_SVR_PAM_AUTH)
		83	"-s Disable password logins\n"
		84	"-g Disable password logins for root\n"
		85	+ "-B Allow blank password logins\n"
		86	#endif
		87	#ifdef ENABLE_SVR_LOCALTCPFWD
		88	"-j Disable local port forwarding\n"
		89	@@ -115,6 +116,7 @@ void svr_getopts(int argc, char ** argv) {
		90	svr_opts.norootlogin = 0;
		91	svr_opts.noauthpass = 0;
		92	svr_opts.norootpass = 0;
		93	+ svr_opts.allowblankpass = 0;
		94	svr_opts.inetdmode = 0;
		95	svr_opts.portcount = 0;
		96	svr_opts.hostkey = NULL;
		97	@@ -234,6 +236,9 @@ void svr_getopts(int argc, char ** argv) {
		98	case 'g':
		99	svr_opts.norootpass = 1;
		100	break;
		101	+ case 'B':
		102	+ svr_opts.allowblankpass = 1;
		103	+ break;
		104	#endif
		105	case 'h':
		106	printhelp(argv[0]);