summaryrefslogtreecommitdiffstats
path: root/meta/packages/dropbear
diff options
context:
space:
mode:
Diffstat (limited to 'meta/packages/dropbear')
-rw-r--r--meta/packages/dropbear/dropbear.inc73
-rw-r--r--meta/packages/dropbear/dropbear/allow-nopw.patch37
-rw-r--r--meta/packages/dropbear/dropbear/chansession-security-fix.patch74
-rw-r--r--meta/packages/dropbear/dropbear/configure.patch27
-rw-r--r--meta/packages/dropbear/dropbear/fix-2kb-keys.patch11
-rwxr-xr-xmeta/packages/dropbear/dropbear/init98
-rw-r--r--meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch21
-rw-r--r--meta/packages/dropbear/dropbear_0.47.bb3
8 files changed, 344 insertions, 0 deletions
diff --git a/meta/packages/dropbear/dropbear.inc b/meta/packages/dropbear/dropbear.inc
new file mode 100644
index 0000000000..301ac24cb2
--- /dev/null
+++ b/meta/packages/dropbear/dropbear.inc
@@ -0,0 +1,73 @@
1DESCRIPTION = "Dropbear is a lightweight SSH and SCP Implementation"
2HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
3SECTION = "console/network"
4LICENSE = "MIT"
5DEPENDS = "zlib"
6PROVIDES = "ssh sshd"
7RPROVIDES = "ssh sshd"
8
9SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.gz \
10 file://urandom-xauth-changes-to-options.h.patch;patch=1 \
11 file://configure.patch;patch=1 \
12 file://fix-2kb-keys.patch;patch=1 \
13 file://allow-nopw.patch \
14 file://init"
15
16inherit autotools update-rc.d
17
18INITSCRIPT_NAME = "dropbear"
19INITSCRIPT_PARAMS = "defaults 10"
20
21CFLAGS_prepend = " -I. "
22LD = "${CC}"
23
24SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
25BINCOMMANDS = "dbclient ssh scp"
26EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
27
28do_configure_prepend() {
29 if [ "x${DISTRO}" != "xfamiliar" -a "${DISTRO_TYPE}" == "debug" ]; then
30 oenote "WARNING: applying allow-nopw.patch which allows password-less logins!"
31 patch -p1 < ${WORKDIR}/allow-nopw.patch
32 fi
33}
34
35do_install() {
36 install -d ${D}${sysconfdir} \
37 ${D}${sysconfdir}/init.d \
38 ${D}${sysconfdir}/default \
39 ${D}${sysconfdir}/dropbear \
40 ${D}${bindir} \
41 ${D}${sbindir} \
42 ${D}${localstatedir}
43
44 install -m 0755 dropbearmulti ${D}${sbindir}/
45 ln -s ${sbindir}/dropbearmulti ${D}${bindir}/dbclient
46
47 for i in ${SBINCOMMANDS}
48 do
49 ln -s ./dropbearmulti ${D}${sbindir}/$i
50 done
51 cat ${WORKDIR}/init | sed -e 's,/etc,${sysconfdir},g' \
52 -e 's,/usr/sbin,${sbindir},g' \
53 -e 's,/var,${localstatedir},g' \
54 -e 's,/usr/bin,${bindir},g' \
55 -e 's,/usr,${prefix},g' > ${D}${sysconfdir}/init.d/dropbear
56 chmod 755 ${D}${sysconfdir}/init.d/dropbear
57}
58
59pkg_postinst () {
60 update-alternatives --install ${bindir}/scp scp ${sbindir}/dropbearmulti 20
61 update-alternatives --install ${bindir}/ssh ssh ${sbindir}/dropbearmulti 20
62}
63
64pkg_postrm_append () {
65 if [ -f "${sysconfdir}/dropbear/dropbear_rsa_host_key" ]; then
66 rm ${sysconfdir}/dropbear/dropbear_rsa_host_key
67 fi
68 if [ -f "${sysconfdir}/dropbear/dropbear_dss_host_key" ]; then
69 rm ${sysconfdir}/dropbear/dropbear_dss_host_key
70 fi
71 update-alternatives --remove ssh ${bindir}/dropbearmulti
72 update-alternatives --remove scp ${bindir}/dropbearmulti
73}
diff --git a/meta/packages/dropbear/dropbear/allow-nopw.patch b/meta/packages/dropbear/dropbear/allow-nopw.patch
new file mode 100644
index 0000000000..1a709b8da0
--- /dev/null
+++ b/meta/packages/dropbear/dropbear/allow-nopw.patch
@@ -0,0 +1,37 @@
1diff -Nurd dropbear-0.45/svr-auth.c dropbear-0.45.patched/svr-auth.c
2--- dropbear-0.45/svr-auth.c 2005-03-06 20:27:02.000000000 -0800
3+++ dropbear-0.45.patched/svr-auth.c 2005-03-08 15:22:43.998592744 -0800
4@@ -237,6 +237,7 @@
5 }
6
7 /* check for an empty password */
8+#ifdef DISALLOW_EMPTY_PW
9 if (ses.authstate.pw->pw_passwd[0] == '\0') {
10 TRACE(("leave checkusername: empty pword"))
11 dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
12@@ -244,7 +245,7 @@
13 send_msg_userauth_failure(0, 1);
14 return DROPBEAR_FAILURE;
15 }
16-
17+#endif
18 TRACE(("shell is %s", ses.authstate.pw->pw_shell))
19
20 /* check that the shell is set */
21diff -Nurd dropbear-0.45/svr-authpasswd.c dropbear-0.45.patched/svr-authpasswd.c
22--- dropbear-0.45/svr-authpasswd.c 2005-03-06 20:27:02.000000000 -0800
23+++ dropbear-0.45.patched/svr-authpasswd.c 2005-03-08 15:22:44.010591023 -0800
24@@ -64,9 +64,13 @@
25 * since the shadow password may differ to that tested
26 * in auth.c */
27 if (passwdcrypt[0] == '\0') {
28+#ifdef DISALLOW_EMPTY_PASSWD
29 dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
30 ses.authstate.printableuser);
31 send_msg_userauth_failure(0, 1);
32+#else
33+ send_msg_userauth_success();
34+#endif
35 return;
36 }
37
diff --git a/meta/packages/dropbear/dropbear/chansession-security-fix.patch b/meta/packages/dropbear/dropbear/chansession-security-fix.patch
new file mode 100644
index 0000000000..bc4c461fee
--- /dev/null
+++ b/meta/packages/dropbear/dropbear/chansession-security-fix.patch
@@ -0,0 +1,74 @@
1Date: Sun, 11 Dec 2005 23:30:02 +0800
2From: Matt Johnston <matt@ucc.asn.au>
3To: dropbear@ucc.gu.uwa.edu.au
4Subject: Dropbear 0.47 (and security fix)
5Message-ID: <20051211153002.GH28839@ucc.gu.uwa.edu.au>
6
7Hi all.
8
9I've put up a new release 0.47 of Dropbear, which has
10various fixes and new features - see the change summary
11below.
12http://matt.ucc.asn.au/dropbear/dropbear.html is the
13url as usual or directly at
14http://matt.ucc.asn.au/dropbear/dropbear-0.47.tar.bz2
15
16This release also fixes a potential security issue, which
17may allow authenticated users to run arbitrary code as the
18server user. I'm unsure exactly how likely it is to be
19exploitable, but anyone who's running a multi-user server is
20advised to upgrade. For older releases, the patch is:
21(against chanesssion.c for 0.43 and earlier).
22
23--- dropbear/svr-chansession.c
24+++ dropbear/svr-chansession.c
25@@ -810,7 +810,7 @@
26 /* need to increase size */
27 if (i == svr_ses.childpidsize) {
28 svr_ses.childpids = (struct ChildPid*)m_realloc(svr_ses.childpids,
29- sizeof(struct ChildPid) * svr_ses.childpidsize+1);
30+ sizeof(struct ChildPid) * (svr_ses.childpidsize+1));
31 svr_ses.childpidsize++;
32 }
33
34
35Matt
36
37
380.47 - Thurs Dec 8 2005
39
40- SECURITY: fix for buffer allocation error in server code, could potentially
41 allow authenticated users to gain elevated privileges. All multi-user systems
42 running the server should upgrade (or apply the patch available on the
43 Dropbear webpage).
44
45- Fix channel handling code so that redirecting to /dev/null doesn't use
46 100% CPU.
47
48- Turn on zlib compression for dbclient.
49
50- Set "low delay" TOS bit, can significantly improve interactivity
51 over some links.
52
53- Added client keyboard-interactive mode support, allows operation with
54 newer OpenSSH servers in default config.
55
56- Log when pubkey auth fails because of bad ~/.ssh/authorized_keys permissions
57
58- Improve logging of assertions
59
60- Added aes-256 cipher and sha1-96 hmac.
61
62- Fix twofish so that it actually works.
63
64- Improve PAM prompt comparison.
65
66- Added -g (dbclient) and -a (dropbear server) options to allow
67 connections to listening forwarded ports from remote machines.
68
69- Various other minor fixes
70
71- Compile fixes for glibc 2.1 (ss_family vs __ss_family) and NetBSD
72 (netinet/in_systm.h needs to be included).
73
74
diff --git a/meta/packages/dropbear/dropbear/configure.patch b/meta/packages/dropbear/dropbear/configure.patch
new file mode 100644
index 0000000000..9ae84b2604
--- /dev/null
+++ b/meta/packages/dropbear/dropbear/configure.patch
@@ -0,0 +1,27 @@
1diff -Nurd dropbear-0.45/configure.in dropbear-0.45.patched/configure.in
2--- dropbear-0.45/configure.in 2005-03-06 20:27:02.000000000 -0800
3+++ dropbear-0.45.patched/configure.in 2005-03-08 15:22:44.040586721 -0800
4@@ -161,15 +161,20 @@
5 AC_MSG_RESULT(Not using openpty)
6 else
7 AC_MSG_RESULT(Using openpty if available)
8- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)])
9+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes])
10 fi
11 ],
12 [
13 AC_MSG_RESULT(Using openpty if available)
14- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)])
15+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes])
16 ]
17 )
18-
19+
20+if test "x$dropbear_cv_func_have_openpty" = "xyes"; then
21+ AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)
22+ no_ptc_check=yes
23+ no_ptmx_check=yes
24+fi
25
26 AC_ARG_ENABLE(syslog,
27 [ --disable-syslog Don't include syslog support],
diff --git a/meta/packages/dropbear/dropbear/fix-2kb-keys.patch b/meta/packages/dropbear/dropbear/fix-2kb-keys.patch
new file mode 100644
index 0000000000..ba2b19d44a
--- /dev/null
+++ b/meta/packages/dropbear/dropbear/fix-2kb-keys.patch
@@ -0,0 +1,11 @@
1diff -Nurd dropbear-0.45/kex.h dropbear-0.45.patched/kex.h
2--- dropbear-0.45/kex.h 2005-03-06 20:27:02.000000000 -0800
3+++ dropbear-0.45.patched/kex.h 2005-03-08 15:22:44.064583279 -0800
4@@ -64,6 +64,6 @@
5
6 };
7
8-#define MAX_KEXHASHBUF 2000
9+#define MAX_KEXHASHBUF 3000
10
11 #endif /* _KEX_H_ */
diff --git a/meta/packages/dropbear/dropbear/init b/meta/packages/dropbear/dropbear/init
new file mode 100755
index 0000000000..d019bdb4ba
--- /dev/null
+++ b/meta/packages/dropbear/dropbear/init
@@ -0,0 +1,98 @@
1#!/bin/sh
2#
3# Do not configure this file. Edit /etc/default/dropbear instead!
4#
5
6PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7DAEMON=/usr/sbin/dropbear
8NAME=dropbear
9DESC="Dropbear SSH server"
10
11DROPBEAR_PORT=22
12DROPBEAR_EXTRA_ARGS=
13NO_START=0
14
15set -e
16
17test ! -r /etc/default/dropbear || . /etc/default/dropbear
18test "$NO_START" = "0" || exit 0
19test -x "$DAEMON" || exit 0
20test ! -h /var/service/dropbear || exit 0
21
22readonly_rootfs=0
23for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
24 case $flag in
25 ro)
26 readonly_rootfs=1
27 ;;
28 esac
29done
30
31if [ $readonly_rootfs = "1" ]; then
32 mkdir -p /var/lib/dropbear
33 DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
34 DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
35else
36 DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
37 DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
38fi
39
40test -z "$DROPBEAR_BANNER" || \
41 DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
42test -n "$DROPBEAR_RSAKEY" || \
43 DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
44test -n "$DROPBEAR_DSSKEY" || \
45 DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
46test -n "$DROPBEAR_KEYTYPES" || \
47 DROPBEAR_KEYTYPES="rsa"
48
49gen_keys() {
50for t in $DROPBEAR_KEYTYPES; do
51 case $t in
52 rsa)
53 test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY
54 ;;
55 dsa)
56 test -f $DROPBEAR_DSSKEY || dropbearkey -t dss -f $DROPBEAR_DSSKEY
57 ;;
58 esac
59done
60}
61
62case "$1" in
63 start)
64 echo -n "Starting $DESC: "
65 gen_keys
66 KEY_ARGS=""
67 test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
68 test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
69 start-stop-daemon -S \
70 -x "$DAEMON" -- $KEY_ARGS \
71 -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS
72 echo "$NAME."
73 ;;
74 stop)
75 echo -n "Stopping $DESC: "
76 start-stop-daemon -K -x "$DAEMON"
77 echo "$NAME."
78 ;;
79 restart|force-reload)
80 echo -n "Restarting $DESC: "
81 start-stop-daemon -K -x "$DAEMON"
82 sleep 1
83 KEY_ARGS=""
84 test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
85 test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
86 start-stop-daemon -S \
87 -x "$DAEMON" -- $KEY_ARGS \
88 -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS
89 echo "$NAME."
90 ;;
91 *)
92 N=/etc/init.d/$NAME
93 echo "Usage: $N {start|stop|restart|force-reload}" >&2
94 exit 1
95 ;;
96esac
97
98exit 0
diff --git a/meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch b/meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch
new file mode 100644
index 0000000000..e2b1dd5da5
--- /dev/null
+++ b/meta/packages/dropbear/dropbear/urandom-xauth-changes-to-options.h.patch
@@ -0,0 +1,21 @@
1diff -Nurd dropbear-0.45/options.h dropbear-0.45.patched/options.h
2--- dropbear-0.45/options.h 2005-03-06 20:27:02.000000000 -0800
3+++ dropbear-0.45.patched/options.h 2005-03-08 15:25:09.368742090 -0800
4@@ -143,7 +143,7 @@
5 * however significantly reduce the security of your ssh connections
6 * if the PRNG state becomes guessable - make sure you know what you are
7 * doing if you change this. */
8-#define DROPBEAR_RANDOM_DEV "/dev/random"
9+#define DROPBEAR_RANDOM_DEV "/dev/urandom"
10
11 /* prngd must be manually set up to produce output */
12 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
13@@ -167,7 +167,7 @@
14 /* The command to invoke for xauth when using X11 forwarding.
15 * "-q" for quiet */
16 #ifndef XAUTH_COMMAND
17-#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q"
18+#define XAUTH_COMMAND "xauth -q"
19 #endif
20
21 /* if you want to enable running an sftp server (such as the one included with
diff --git a/meta/packages/dropbear/dropbear_0.47.bb b/meta/packages/dropbear/dropbear_0.47.bb
new file mode 100644
index 0000000000..5990260b87
--- /dev/null
+++ b/meta/packages/dropbear/dropbear_0.47.bb
@@ -0,0 +1,3 @@
1include dropbear.inc
2
3PR = "r2"