Commit Graph

25 Commits (909f0630663d7ae1471c76154516e3299992a150)

Author SHA1 Message Date
Matthias Schiffer 77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Kevin Darbyshire-Bryant 96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Jo-Philipp Wich 4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Dario Ernst 4d1c75c601 dropbear: Fix incorrect CONFIG_TARGET_INIT_PATH.
Fix a „semantic typo“ introduced in b78aae793e,
where TARGET_INIT_PATH was used instead of CONFIG_TARGET_INIT_PATH.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-05-24 16:31:17 +02:00
Jo-Philipp Wich 1c61b21489 dropbear: update to 2016.73
Update the dropbear package to version 2016.73, refresh patches.
The measured .ipk sizes on an x86_64 build are:

  94588	dropbear_2015.71-3_x86_64.ipk
  95316	dropbear_2016.73-1_x86_64.ipk

This is an increase of roughly 700 bytes after compression.

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-13 10:23:52 +02:00
Hans Dedecker 861266c9ec dropbear: Add --disable-utmpx again
The option --disable-utmpx was deleted by accident in commit 7545c1d;
add it again to the CONFIGURE_ARGS list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-05-12 03:29:35 +02:00
Hans Dedecker 16122117a5 dropbear: Add procd interface triggers when interface config is specified
A dropbear instance having an interface config won't start if the interface is down as no
IP address is available.
Adding interface triggers for each configured interface executing the dropbear reload script
will start the dropbear instance when the interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:49:37 +02:00
Hans Dedecker 7545c1d96b dropbear: Make utmp and putuline support configurable via seperate config options
Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox)
Putuline support will use the utmp structure to write to the utmp file

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:47:48 +02:00
Jo-Philipp Wich b78aae793e dropbear: honor CONFIG_TARGET_INIT_PATH
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48679
2016-02-08 14:28:57 +00:00
Felix Fietkau 64c23711ea dropbear: update version to 2015.71
Update dropbear to version 2015.71, released on 3 Dec 2015.
Refresh patches.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48243
2016-01-15 11:24:09 +00:00
Felix Fietkau 1455b5b89a dropbear: split out curve25519 support into a separate config option
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48195
2016-01-10 22:38:53 +00:00
Steven Barth 8a7a939470 dropbear: remove generation and configuration of DSS keys
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46815
2015-09-08 08:59:40 +00:00
Steven Barth d196b1fc2e Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46809
2015-09-07 19:29:25 +00:00
Steven Barth a0d06f65ae dropbear: bump to 2015.68
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46769
2015-09-02 11:48:57 +00:00
Steven Barth af4d04ed36 dropbear: update to 2015.67
fixes dbclient login into OpenSSH 6.8p1
error: "Bad hostkey signature"

reported on irc, replicated with Arch Linux

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 45493
2015-04-18 11:25:01 +00:00
Nicolas Thill f4417f7ad8 package/*: replace occurences of 'ln -sf' to '$(LN)'
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 43205
2014-11-06 19:35:34 +00:00
Jonas Gorski bb6905bd23 dropbear: restore performance by disabling mips16
Disable MIPS16 to prevent it negatively affecting performance.
Observed was a increase of connection delay from ~6 to ~11 seconds
and a reduction of scp speed from 1.1MB/s to 710kB/s on brcm63xx.

Fixes #15209.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 42250
2014-08-21 11:29:04 +00:00
Steven Barth ff6363dc19 dropbear: update to 2014.65
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42131
2014-08-11 13:02:43 +00:00
Felix Fietkau 3ecffab050 dropbear: move options.h editing to Build/Configure
fixes incremental build with change to CONFIG_DROPBEAR_ECC
drop --with-shared which is unknown to configure

Patch by Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 40300
2014-03-29 17:10:52 +00:00
Felix Fietkau ad52658be7 dropbear: update to 2014.63
Upstream changelog:
https://matt.ucc.asn.au/dropbear/CHANGES

This adds elliptic curve cryptography (ECC) support as an option, disabled
by default.

dropbear mips 34kc uClibc binary size:
before: 161,672 bytes
after, without ECC (default): 164,968
after, with ECC: 198,008

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 40297
2014-03-29 16:59:26 +00:00
Jo-Philipp Wich fce216ac7e dropbear: add dropbear.nl mirror, provided by dropbear maintainer
Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 38413
2013-10-15 13:10:32 +00:00
Jo-Philipp Wich 61e83f9c29 dropbear: update to 2013.59 (released 4 october 2013)
- drop mirror www.mirrors.wiretapped.net (not working anymore)
- drop patch 300-ipv6_addr_port_split.patch, included upstream
- refresh patches
- various upstream changes: http://matt.ucc.asn.au/dropbear/CHANGES

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 38356
2013-10-10 14:42:05 +00:00
Florian Fainelli 9e355444a6 dropbear: update to 2012.55 and refresh patches
Upstream has a few code cleanups, more eagerly burns sensitive memory and
includes the fix for CVE-2012-0920. Full changelog:
https://matt.ucc.asn.au/dropbear/CHANGES

Local changes:
- Removed PKG_MULTI which is no longer in options.h (even before 2011.54)
- Merged DO_HOST_LOOKUP into 120-openwrt_options.patch
- Removed LD from make opts (now included in TARGET_CONFIGURE_OPTS)
- Removed 400-CVE-2012-0920.patch which is included in 2012.55

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
Signed-off-by: Florian Fainelli <florian@openwrt.org>

SVN-Revision: 34496
2012-12-04 16:40:17 +00:00
Hamish Guthrie 81a3d9ba31 licensing: Add licensing metadata to many packages Two new variables are introduces to many packages, namely PKG_LICENSE and PKG_LICENSE_FILES - there may be more than one license applied to packages, and these are listed in the PKG_LICENSE variable and separated by spaces. All relevant license files are also added to the PKG_LICENSE_FILES variable, also space separated.
The licensing metadata is put into the bin/<platform>/packages/Packages file
for later parsing. A script for that is on it's way!

SVN-Revision: 33861
2012-10-19 15:34:28 +00:00
Felix Fietkau 405e21d167 packages: sort network related packages into package/network/
SVN-Revision: 33688
2012-10-10 12:32:29 +00:00