Disable telnet in favor of passwordless SSH

This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.

Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809

diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh
index 25627b66b299ed2b5d7aea03a38bd6462e4102f5..754d29085762437fc976bc2b2d1531c34b35c473 100755 (executable)
--- a/package/base-files/files/bin/login.sh
+++ b/package/base-files/files/bin/login.sh
@@ -10,8 +10,7 @@ then
 else
 cat << EOF
  === IMPORTANT ============================
-  Use 'passwd' to set your login password
-  this will disable telnet and enable SSH
+  Use 'passwd' to set your login password!
  ------------------------------------------
 EOF
 fi

diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login
index 15dcbd884f1f2ec4fd84c92482a9b656d1a26dd7..b12e31702ab61637f9b02d2ea25c3c1a1d5116d1 100644 (file)
--- a/package/base-files/files/lib/preinit/99_10_failsafe_login
+++ b/package/base-files/files/lib/preinit/99_10_failsafe_login
@@ -1,9 +1,10 @@
 #!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 # Copyright (C) 2010 Vertical Communications
 
 failsafe_netlogin () {
-       telnetd -l /bin/login.sh <> /dev/null 2>&1
+       dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+       dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
 }
 
 failsafe_shell() {

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8988e0db125866016d63b1acb8073864b54b7462..f140f36dcccbc14d8328992bc6ff0cec6bee563b 100644 (file)
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \

diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index f3931b0cccba79a38fb594efa8a231553feb7c7b..805a0964abc5ef9a8d9e3c4c7224c92cb4536ee2 100644 (file)
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,6 +18,17 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
 @@ -131,9 +131,9 @@ If you test it please contact the Dropbe
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */

diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644 (file)
index 0000000..7c67b08
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+                               AUTH_METHOD_NONE_LEN) == 0) {
+               TRACE(("recv_msg_userauth_request: 'none' request"))
+               if (valid_user
+-                              && svr_opts.allowblankpass
++                              && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+                               && !svr_opts.noauthpass
+                               && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+                               && ses.authstate.pw_passwd[0] == '\0') 

diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644 (file)
index 0000000..ee6d273
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+               m_free(hostkey_file);
+       }
+ 
++      if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+       loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+       loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++      }
+ 
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+       if (svr_opts.delay_hostkey) {

diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in
index 7b4cd99a5db8166042d953a1ac22fed37f6afc9b..d961bfaaeebc5c9d7909710a04762b36df8c2b06 100644 (file)
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
        default n
 config BUSYBOX_DEFAULT_TELNET
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
        bool
        default n
 config BUSYBOX_DEFAULT_TELNETD
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
        bool
-       default y
+       default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
        bool
        default n

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 9571d48bec25713ba345024e657ad92781018464..a65f44f8fe0448ca34c1e72919c8d386e2e67865 100644 (file)
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -110,7 +110,6 @@ define Package/busybox/install
        $(INSTALL_DIR) $(1)/etc/init.d
        $(CP) $(PKG_INSTALL_DIR)/* $(1)/
        $(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
-       $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
        $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
        $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
        -rm -rf $(1)/lib64

diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755 (executable)
index a1d1cdf..0000000
--- a/package/utils/busybox/files/telnet
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
-       local pwd=$([ -f "$1" ] && cat "$1")
-             pwd="${pwd#*root:}"
-             pwd="${pwd%%:*}"
-
-       test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
-       local homedir=$([ -f "$1" ] && cat "$1")
-       homedir="${homedir#*:*:0:0:*:}"
-
-       echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
-       ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
-       ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
-       if ( ! has_ssh_pubkey && \
-            ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
-          ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
-       then
-               procd_open_instance
-               procd_set_param command "$PROG" -F -l /bin/login.sh
-               procd_close_instance
-       fi
-}