From 210a9833496ed2a93b8da93924874938127ce0b5 Mon Sep 17 00:00:00 2001 From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> Date: Thu, 19 Aug 2021 17:37:14 +0200 Subject: added option to disable trivial auth methods (#128) * added option to disable trivial auth methods * rename argument to match with other ssh clients * fixed trivial auth detection for pubkeys --- cli-auth.c | 3 +++ cli-authinteract.c | 1 + cli-authpasswd.c | 2 +- cli-authpubkey.c | 1 + cli-runopts.c | 7 +++++++ cli-session.c | 1 + runopts.h | 1 + session.h | 1 + 8 files changed, 16 insertions(+), 1 deletion(-) diff --git a/cli-auth.c b/cli-auth.c index 5fcacc3..5179230 100644 --- a/cli-auth.c +++ b/cli-auth.c @@ -261,6 +261,9 @@ void recv_msg_userauth_success() { if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ TRACE(("received msg_userauth_success")) + if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { + dropbear_exit("trivial authentication not allowed"); + } /* Note: in delayed-zlib mode, setting authdone here * will enable compression in the transport layer */ ses.authstate.authdone = 1; diff --git a/cli-authinteract.c b/cli-authinteract.c index e1cc9a1..f7128ee 100644 --- a/cli-authinteract.c +++ b/cli-authinteract.c @@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { m_free(instruction); for (i = 0; i < num_prompts; i++) { + cli_ses.is_trivial_auth = 0; unsigned int response_len = 0; prompt = buf_getstring(ses.payload, NULL); cleantext(prompt); diff --git a/cli-authpasswd.c b/cli-authpasswd.c index 00fdd8b..a24d43e 100644 --- a/cli-authpasswd.c +++ b/cli-authpasswd.c @@ -155,7 +155,7 @@ void cli_auth_password() { encrypt_packet(); m_burn(password, strlen(password)); - + cli_ses.is_trivial_auth = 0; TRACE(("leave cli_auth_password")) } #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 28c54fa..c0da77f 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); buf_free(sigbuf); /* Nothing confidential in the buffer */ + cli_ses.is_trivial_auth = 0; } encrypt_packet(); diff --git a/cli-runopts.c b/cli-runopts.c index 3654b9a..255b47e 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { #if DROPBEAR_CLI_ANYTCPFWD cli_opts.exit_on_fwd_failure = 0; #endif + cli_opts.disable_trivial_auth = 0; #if DROPBEAR_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { #if DROPBEAR_CLI_ANYTCPFWD "\tExitOnForwardFailure\n" #endif + "\tDisableTrivialAuth\n" #ifndef DISABLE_SYSLOG "\tUseSyslog\n" #endif @@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) { return; } + if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { + cli_opts.disable_trivial_auth = parse_flag_value(optstr); + return; + } + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); } diff --git a/cli-session.c b/cli-session.c index 699286d..eee760e 100644 --- a/cli-session.c +++ b/cli-session.c @@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { /* Auth */ cli_ses.lastprivkey = NULL; cli_ses.lastauthtype = 0; + cli_ses.is_trivial_auth = 1; /* For printing "remote host closed" for the user */ ses.remoteclosed = cli_remoteclosed; diff --git a/runopts.h b/runopts.h index f2ae8c6..af60877 100644 --- a/runopts.h +++ b/runopts.h @@ -161,6 +161,7 @@ typedef struct cli_runopts { #if DROPBEAR_CLI_ANYTCPFWD int exit_on_fwd_failure; #endif + int disable_trivial_auth; #if DROPBEAR_CLI_REMOTETCPFWD m_list * remotefwds; #endif diff --git a/session.h b/session.h index fb5b8cb..6706592 100644 --- a/session.h +++ b/session.h @@ -316,6 +316,7 @@ struct clientsession { int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, for the last type of auth we tried */ + int is_trivial_auth; int ignore_next_auth_response; #if DROPBEAR_CLI_INTERACT_AUTH int auth_interact_failed; /* flag whether interactive auth can still -- cgit v1.2.3