summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteven Barth <cyrus@openwrt.org>2015-09-07 19:29:25 +0000
committerSteven Barth <cyrus@openwrt.org>2015-09-07 19:29:25 +0000
commitd196b1fc2eddf7cbab4351452b6fc9b41f15b142 (patch)
treeff881e04c6d2fbcd087a4b16ce3168099e59af04
parentb850e1e59f5fff02e5719b6b196309f00d600304 (diff)
downloadmtk-20170518-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.zip
mtk-20170518-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.tar.gz
mtk-20170518-d196b1fc2eddf7cbab4351452b6fc9b41f15b142.tar.bz2
Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root password is set (e.g. after reset, flashing without keeping config or in failsafe) and removes telnet support alltogether. Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46809
-rwxr-xr-xpackage/base-files/files/bin/login.sh3
-rw-r--r--package/base-files/files/lib/preinit/99_10_failsafe_login5
-rw-r--r--package/network/services/dropbear/Makefile2
-rw-r--r--package/network/services/dropbear/patches/120-openwrt_options.patch11
-rw-r--r--package/network/services/dropbear/patches/600-allow-blank-root-password.patch11
-rw-r--r--package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch18
-rw-r--r--package/utils/busybox/Config-defaults.in8
-rw-r--r--package/utils/busybox/Makefile1
-rwxr-xr-xpackage/utils/busybox/files/telnet38
9 files changed, 49 insertions, 48 deletions
diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh
index 25627b6..754d290 100755
--- a/package/base-files/files/bin/login.sh
+++ b/package/base-files/files/bin/login.sh
@@ -10,8 +10,7 @@ then
else
cat << EOF
=== IMPORTANT ============================
- Use 'passwd' to set your login password
- this will disable telnet and enable SSH
+ Use 'passwd' to set your login password!
------------------------------------------
EOF
fi
diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login
index 15dcbd8..b12e317 100644
--- a/package/base-files/files/lib/preinit/99_10_failsafe_login
+++ b/package/base-files/files/lib/preinit/99_10_failsafe_login
@@ -1,9 +1,10 @@
#!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
failsafe_netlogin () {
- telnetd -l /bin/login.sh <> /dev/null 2>&1
+ dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+ dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
}
failsafe_shell() {
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8988e0d..f140f36 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index f3931b0..805a096 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,6 +18,17 @@
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+
+ /* Enable CBC mode for ciphers. This has security issues though
+ * is the most compatible with older SSH implementations */
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644
index 0000000..7c67b08
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+ AUTH_METHOD_NONE_LEN) == 0) {
+ TRACE(("recv_msg_userauth_request: 'none' request"))
+ if (valid_user
+- && svr_opts.allowblankpass
++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ && !svr_opts.noauthpass
+ && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
+ && ses.authstate.pw_passwd[0] == '\0')
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644
index 0000000..ee6d273
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+ m_free(hostkey_file);
+ }
+
++ if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+ loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+ loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++ }
+
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+ if (svr_opts.delay_hostkey) {
diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in
index 7b4cd99..d961bfa 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
default n
config BUSYBOX_DEFAULT_TELNET
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
bool
default n
config BUSYBOX_DEFAULT_TELNETD
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
bool
- default y
+ default n
config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
bool
default n
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 9571d48..a65f44f 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -110,7 +110,6 @@ define Package/busybox/install
$(INSTALL_DIR) $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/* $(1)/
$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
- $(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
-rm -rf $(1)/lib64
diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755
index a1d1cdf..0000000
--- a/package/utils/busybox/files/telnet
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
- local pwd=$([ -f "$1" ] && cat "$1")
- pwd="${pwd#*root:}"
- pwd="${pwd%%:*}"
-
- test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
- local homedir=$([ -f "$1" ] && cat "$1")
- homedir="${homedir#*:*:0:0:*:}"
-
- echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
- ( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
- ( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
- if ( ! has_ssh_pubkey && \
- ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
- ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
- then
- procd_open_instance
- procd_set_param command "$PROG" -F -l /bin/login.sh
- procd_close_instance
- fi
-}