diff options
author | Paul Eggleton <paul.eggleton@linux.intel.com> | 2013-01-16 17:00:11 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2013-01-18 13:01:52 +0000 |
commit | 313039590171456b652fa7a2f5823c9b7060b20f (patch) | |
tree | 1dccc21b6697abb0bd6bbd707aac755a8dc4a2ae | |
parent | 510e377f252dece8850487c30482f83df4a89c7e (diff) | |
download | openembedded-core-313039590171456b652fa7a2f5823c9b7060b20f.tar.gz openembedded-core-313039590171456b652fa7a2f5823c9b7060b20f.tar.bz2 openembedded-core-313039590171456b652fa7a2f5823c9b7060b20f.zip |
dropbear: allow configuring blank password option at runtime
Instead of using IMAGE_FEATURES to control something within a recipe,
allow this to be set at runtime, avoiding the need to rebuild dropbear
when we want to change this option.
First half of the fix for [YOCTO #2578].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
-rw-r--r-- | meta/recipes-core/dropbear/dropbear.inc | 6 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/allow-nopw.patch | 19 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/nopw-option.patch | 106 |
3 files changed, 108 insertions, 23 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index aa313df316..3e430f22bf 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation" HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" SECTION = "console/network" -INC_PR = "r0" +INC_PR = "r1" # some files are from other projects and have others license terms: # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY @@ -18,7 +18,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.gz \ file://dropbear-0.53.1-static_build_fix.patch \ file://configure.patch \ file://fix-2kb-keys.patch \ - ${@base_contains("DISTRO_TYPE", "debug", "file://allow-nopw.patch", "",d)} \ + file://nopw-option.patch \ file://init \ ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " @@ -40,8 +40,6 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' EXTRA_OECONF += "\ ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}" - do_install() { install -d ${D}${sysconfdir} \ ${D}${sysconfdir}/init.d \ diff --git a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch b/meta/recipes-core/dropbear/dropbear/allow-nopw.patch deleted file mode 100644 index a175ee14da..0000000000 --- a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch +++ /dev/null @@ -1,19 +0,0 @@ -Enable blank password login function for new release dropbear. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Mei Lei <lei.mei@intel.com> - -diff --git a/options.h b/options.h -index 73689ad..041ddaa 100644 ---- a/options.h -+++ b/options.h -@@ -180,7 +180,7 @@ much traffic. */ - * Public key logins are allowed for blank-password accounts regardless of this - * setting. PAM is not affected by this setting, it uses the normal pam.d - * settings ('nullok' option) */ --/* #define ALLOW_BLANK_PASSWORD */ -+#define ALLOW_BLANK_PASSWORD - - #define ENABLE_CLI_PASSWORD_AUTH - #define ENABLE_CLI_PUBKEY_AUTH diff --git a/meta/recipes-core/dropbear/dropbear/nopw-option.patch b/meta/recipes-core/dropbear/dropbear/nopw-option.patch new file mode 100644 index 0000000000..e7fcbb3f69 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/nopw-option.patch @@ -0,0 +1,106 @@ +Allow configuring "allow blank password option" at runtime + +Changes this from a compile-time switch to a command-line option. + +Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> + +Upstream-Status: Pending + +diff --git a/options.h b/options.h +index 00f6179..b8d0ccb 100644 +--- a/options.h ++++ b/options.h +@@ -176,12 +176,6 @@ much traffic. */ + #define ENABLE_SVR_PUBKEY_OPTIONS + #endif + +-/* Define this to allow logging in to accounts that have no password specified. +- * Public key logins are allowed for blank-password accounts regardless of this +- * setting. PAM is not affected by this setting, it uses the normal pam.d +- * settings ('nullok' option) */ +-/* #define ALLOW_BLANK_PASSWORD */ +- + #define ENABLE_CLI_PASSWORD_AUTH + #define ENABLE_CLI_PUBKEY_AUTH + #define ENABLE_CLI_INTERACT_AUTH +diff --git a/runopts.h b/runopts.h +index 83b5861..126585b 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -85,6 +85,7 @@ typedef struct svr_runopts { + + int noauthpass; + int norootpass; ++ int allowblankpass; + + #ifdef ENABLE_SVR_REMOTETCPFWD + int noremotetcp; +diff --git a/svr-authpasswd.c b/svr-authpasswd.c +index 54b4889..d9b7928 100644 +--- a/svr-authpasswd.c ++++ b/svr-authpasswd.c +@@ -29,6 +29,7 @@ + #include "buffer.h" + #include "dbutil.h" + #include "auth.h" ++#include "runopts.h" + + #ifdef ENABLE_SVR_PASSWORD_AUTH + +@@ -78,16 +79,17 @@ void svr_auth_password() { + + /* check for empty password */ + if (passwdcrypt[0] == '\0') { +-#ifdef ALLOW_BLANK_PASSWORD +- if (passwordlen == 0) { +- success_blank = 1; ++ if (svr_opts.allowblankpass) { ++ if (passwordlen == 0) { ++ success_blank = 1; ++ } ++ } ++ else { ++ dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", ++ ses.authstate.pw_name); ++ send_msg_userauth_failure(0, 1); ++ return; + } +-#else +- dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", +- ses.authstate.pw_name); +- send_msg_userauth_failure(0, 1); +- return; +-#endif + } + + if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) { +diff --git a/svr-runopts.c b/svr-runopts.c +index c6e3508..b39ffb2 100644 +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -63,6 +63,7 @@ static void printhelp(const char * progname) { + #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) + "-s Disable password logins\n" + "-g Disable password logins for root\n" ++ "-B Allow blank password logins\n" + #endif + #ifdef ENABLE_SVR_LOCALTCPFWD + "-j Disable local port forwarding\n" +@@ -115,6 +116,7 @@ void svr_getopts(int argc, char ** argv) { + svr_opts.norootlogin = 0; + svr_opts.noauthpass = 0; + svr_opts.norootpass = 0; ++ svr_opts.allowblankpass = 0; + svr_opts.inetdmode = 0; + svr_opts.portcount = 0; + svr_opts.hostkey = NULL; +@@ -234,6 +236,9 @@ void svr_getopts(int argc, char ** argv) { + case 'g': + svr_opts.norootpass = 1; + break; ++ case 'B': ++ svr_opts.allowblankpass = 1; ++ break; + #endif + case 'h': + printhelp(argv[0]); |