diff options
author | Steven Barth <cyrus@openwrt.org> | 2015-09-07 19:29:25 +0000 |
---|---|---|
committer | Steven Barth <cyrus@openwrt.org> | 2015-09-07 19:29:25 +0000 |
commit | d196b1fc2eddf7cbab4351452b6fc9b41f15b142 (patch) | |
tree | ff881e04c6d2fbcd087a4b16ce3168099e59af04 | |
parent | b850e1e59f5fff02e5719b6b196309f00d600304 (diff) | |
download | mtk-20170518-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.zip mtk-20170518-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.tar.gz mtk-20170518-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.tar.bz2 |
Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809
9 files changed, 49 insertions, 48 deletions
diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh index 25627b6..754d290 100755 --- a/package/base-files/files/bin/login.sh +++ b/package/base-files/files/bin/login.sh @@ -10,8 +10,7 @@ then else cat << EOF === IMPORTANT ============================ - Use 'passwd' to set your login password - this will disable telnet and enable SSH + Use 'passwd' to set your login password! ------------------------------------------ EOF fi diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login index 15dcbd8..b12e317 100644 --- a/package/base-files/files/lib/preinit/99_10_failsafe_login +++ b/package/base-files/files/lib/preinit/99_10_failsafe_login @@ -1,9 +1,10 @@ #!/bin/sh -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications failsafe_netlogin () { - telnetd -l /bin/login.sh <> /dev/null 2>&1 + dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 } failsafe_shell() { diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8988e0d..f140f36 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2015.68 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index f3931b0..805a096 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -18,6 +18,17 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST +@@ -95,8 +95,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256*/ ++/*#define DROPBEAR_TWOFISH128*/ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ @@ -131,9 +131,9 @@ If you test it please contact the Dropbe * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch new file mode 100644 index 0000000..7c67b08 --- /dev/null +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -0,0 +1,11 @@ +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { + AUTH_METHOD_NONE_LEN) == 0) { + TRACE(("recv_msg_userauth_request: 'none' request")) + if (valid_user +- && svr_opts.allowblankpass ++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root")) + && !svr_opts.noauthpass + && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) + && ses.authstate.pw_passwd[0] == '\0') diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch new file mode 100644 index 0000000..ee6d273 --- /dev/null +++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch @@ -0,0 +1,18 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -475,6 +475,7 @@ void load_all_hostkeys() { + m_free(hostkey_file); + } + ++ if (svr_opts.num_hostkey_files <= 0) { + #ifdef DROPBEAR_RSA + loadhostkey(RSA_PRIV_FILENAME, 0); + #endif +@@ -486,6 +487,7 @@ void load_all_hostkeys() { + #ifdef DROPBEAR_ECDSA + loadhostkey(ECDSA_PRIV_FILENAME, 0); + #endif ++ } + + #ifdef DROPBEAR_DELAY_HOSTKEY + if (svr_opts.delay_hostkey) { diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in index 7b4cd99..d961bfa 100644 --- a/package/utils/busybox/Config-defaults.in +++ b/package/utils/busybox/Config-defaults.in @@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD default n config BUSYBOX_DEFAULT_TELNET bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN bool default n config BUSYBOX_DEFAULT_TELNETD bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE bool - default y + default n config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT bool default n diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index 9571d48..a65f44f 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -110,7 +110,6 @@ define Package/busybox/install $(INSTALL_DIR) $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/* $(1)/ $(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron - $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug -rm -rf $(1)/lib64 diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet deleted file mode 100755 index a1d1cdf..0000000 --- a/package/utils/busybox/files/telnet +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006-2011 OpenWrt.org - -START=50 - -USE_PROCD=1 -PROG=/usr/sbin/telnetd - -has_root_pwd() { - local pwd=$([ -f "$1" ] && cat "$1") - pwd="${pwd#*root:}" - pwd="${pwd%%:*}" - - test -n "${pwd#[\!x]}" -} - -get_root_home() { - local homedir=$([ -f "$1" ] && cat "$1") - homedir="${homedir#*:*:0:0:*:}" - - echo "${homedir%%:*}" -} - -has_ssh_pubkey() { - ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \ - ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys ) -} - -start_service() { - if ( ! has_ssh_pubkey && \ - ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \ - ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null ); - then - procd_open_instance - procd_set_param command "$PROG" -F -l /bin/login.sh - procd_close_instance - fi -} |