Disable telnet in favor of passwordless SSH
authorSteven Barth <cyrus@openwrt.org>
Mon, 7 Sep 2015 19:29:25 +0000 (19:29 +0000)
committerSteven Barth <cyrus@openwrt.org>
Mon, 7 Sep 2015 19:29:25 +0000 (19:29 +0000)
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.

Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809

package/base-files/files/bin/login.sh
package/base-files/files/lib/preinit/99_10_failsafe_login
package/network/services/dropbear/Makefile
package/network/services/dropbear/patches/120-openwrt_options.patch
package/network/services/dropbear/patches/600-allow-blank-root-password.patch [new file with mode: 0644]
package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch [new file with mode: 0644]
package/utils/busybox/Config-defaults.in
package/utils/busybox/Makefile
package/utils/busybox/files/telnet [deleted file]

index 25627b6..754d290 100755 (executable)
@@ -10,8 +10,7 @@ then
 else
 cat << EOF
  === IMPORTANT ============================
-  Use 'passwd' to set your login password
-  this will disable telnet and enable SSH
+  Use 'passwd' to set your login password!
  ------------------------------------------
 EOF
 fi
index 15dcbd8..b12e317 100644 (file)
@@ -1,9 +1,10 @@
 #!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 # Copyright (C) 2010 Vertical Communications
 
 failsafe_netlogin () {
-       telnetd -l /bin/login.sh <> /dev/null 2>&1
+       dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+       dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
 }
 
 failsafe_shell() {
index 8988e0d..f140f36 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
index f3931b0..805a096 100644 (file)
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
 @@ -131,9 +131,9 @@ If you test it please contact the Dropbe
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644 (file)
index 0000000..7c67b08
--- /dev/null
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+                               AUTH_METHOD_NONE_LEN) == 0) {
+               TRACE(("recv_msg_userauth_request: 'none' request"))
+               if (valid_user
+-                              && svr_opts.allowblankpass
++                              && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+                               && !svr_opts.noauthpass
+                               && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+                               && ses.authstate.pw_passwd[0] == '\0') 
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644 (file)
index 0000000..ee6d273
--- /dev/null
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+               m_free(hostkey_file);
+       }
++      if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+       loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+       loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++      }
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+       if (svr_opts.delay_hostkey) {
index 7b4cd99..d961bfa 100644 (file)
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
        default n
 config BUSYBOX_DEFAULT_TELNET
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
        bool
        default n
 config BUSYBOX_DEFAULT_TELNETD
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
        bool
        default n
index 9571d48..a65f44f 100644 (file)
@@ -110,7 +110,6 @@ define Package/busybox/install
        $(INSTALL_DIR) $(1)/etc/init.d
        $(CP) $(PKG_INSTALL_DIR)/* $(1)/
        $(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
-       $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
        $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
        $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
        -rm -rf $(1)/lib64
diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755 (executable)
index a1d1cdf..0000000
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
-       local pwd=$([ -f "$1" ] && cat "$1")
-             pwd="${pwd#*root:}"
-             pwd="${pwd%%:*}"
-
-       test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
-       local homedir=$([ -f "$1" ] && cat "$1")
-       homedir="${homedir#*:*:0:0:*:}"
-
-       echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
-       ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
-       ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
-       if ( ! has_ssh_pubkey && \
-            ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
-          ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
-       then
-               procd_open_instance
-               procd_set_param command "$PROG" -F -l /bin/login.sh
-               procd_close_instance
-       fi
-}