FreifunkHochstift
/
gluon


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869
							From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Tue, 27 Sep 2016 03:55:55 +0200
Subject: dropbear: add a failsafe mode that will always allow password-less root login

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

diff --git a/package/network/services/dropbear/patches/700-failsafe-mode.patch b/package/network/services/dropbear/patches/700-failsafe-mode.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c6e45423e2dba1258549a5bfe4b5a59ac32d73d8
--- /dev/null
+++ b/package/network/services/dropbear/patches/700-failsafe-mode.patch
@@ -0,0 +1,57 @@
+--- a/runopts.h
++++ b/runopts.h
+@@ -97,6 +97,8 @@ typedef struct svr_runopts {
+ 	int norootpass;
+ 	int allowblankpass;
+ 
++	int failsafe_mode;
++
+ #ifdef ENABLE_SVR_REMOTETCPFWD
+ 	int noremotetcp;
+ #endif
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,10 +149,11 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+-				&& !svr_opts.noauthpass
+-				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+-				&& ses.authstate.pw_passwd[0] == '\0') 
++				&& ((svr_opts.failsafe_mode && !strcmp(ses.authstate.pw_name, "root"))
++				|| ((svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
++					&& !svr_opts.noauthpass
++					&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
++					&& ses.authstate.pw_passwd[0] == '\0')))
+ 		{
+			dropbear_log(LOG_NOTICE, 
+ 					"Auth succeeded with blank password for '%s' from %s",
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -72,6 +72,7 @@ static void printhelp(const char * progn
+ 					"-s		Disable password logins\n"
+ 					"-g		Disable password logins for root\n"
+ 					"-B		Allow blank password logins\n"
++					"-f		Failsafe mode: always allow password-less root login\n"
+ #endif
+ #ifdef ENABLE_SVR_LOCALTCPFWD
+ 					"-j		Disable local port forwarding\n"
+@@ -130,6 +131,7 @@ void svr_getopts(int argc, char ** argv)
+ 	svr_opts.noauthpass = 0;
+ 	svr_opts.norootpass = 0;
+ 	svr_opts.allowblankpass = 0;
++	svr_opts.failsafe_mode = 0;
+ 	svr_opts.inetdmode = 0;
+ 	svr_opts.portcount = 0;
+ 	svr_opts.hostkey = NULL;
+@@ -244,6 +246,9 @@ void svr_getopts(int argc, char ** argv)
+ 				case 'B':
+ 					svr_opts.allowblankpass = 1;
+ 					break;
++				case 'f':
++					svr_opts.failsafe_mode = 1;
++					break;
+ #endif
+ 				case 'h':
+ 					printhelp(argv[0]);