diff options
| -rw-r--r-- | cli-auth.c | 3 | ||||
| -rw-r--r-- | cli-authinteract.c | 1 | ||||
| -rw-r--r-- | cli-authpasswd.c | 2 | ||||
| -rw-r--r-- | cli-authpubkey.c | 1 | ||||
| -rw-r--r-- | cli-runopts.c | 7 | ||||
| -rw-r--r-- | cli-session.c | 1 | ||||
| -rw-r--r-- | runopts.h | 1 | ||||
| -rw-r--r-- | session.h | 1 |
8 files changed, 16 insertions, 1 deletions
@@ -261,6 +261,9 @@ void recv_msg_userauth_success() { if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ TRACE(("received msg_userauth_success")) + if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { + dropbear_exit("trivial authentication not allowed"); + } /* Note: in delayed-zlib mode, setting authdone here * will enable compression in the transport layer */ ses.authstate.authdone = 1; diff --git a/cli-authinteract.c b/cli-authinteract.c index e1cc9a1..f7128ee 100644 --- a/cli-authinteract.c +++ b/cli-authinteract.c @@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { m_free(instruction); for (i = 0; i < num_prompts; i++) { + cli_ses.is_trivial_auth = 0; unsigned int response_len = 0; prompt = buf_getstring(ses.payload, NULL); cleantext(prompt); diff --git a/cli-authpasswd.c b/cli-authpasswd.c index 00fdd8b..a24d43e 100644 --- a/cli-authpasswd.c +++ b/cli-authpasswd.c @@ -155,7 +155,7 @@ void cli_auth_password() { encrypt_packet(); m_burn(password, strlen(password)); - + cli_ses.is_trivial_auth = 0; TRACE(("leave cli_auth_password")) } #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 28c54fa..c0da77f 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); buf_free(sigbuf); /* Nothing confidential in the buffer */ + cli_ses.is_trivial_auth = 0; } encrypt_packet(); diff --git a/cli-runopts.c b/cli-runopts.c index 3654b9a..255b47e 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { #if DROPBEAR_CLI_ANYTCPFWD cli_opts.exit_on_fwd_failure = 0; #endif + cli_opts.disable_trivial_auth = 0; #if DROPBEAR_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { #if DROPBEAR_CLI_ANYTCPFWD "\tExitOnForwardFailure\n" #endif + "\tDisableTrivialAuth\n" #ifndef DISABLE_SYSLOG "\tUseSyslog\n" #endif @@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) { return; } + if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { + cli_opts.disable_trivial_auth = parse_flag_value(optstr); + return; + } + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); } diff --git a/cli-session.c b/cli-session.c index 699286d..eee760e 100644 --- a/cli-session.c +++ b/cli-session.c @@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { /* Auth */ cli_ses.lastprivkey = NULL; cli_ses.lastauthtype = 0; + cli_ses.is_trivial_auth = 1; /* For printing "remote host closed" for the user */ ses.remoteclosed = cli_remoteclosed; @@ -161,6 +161,7 @@ typedef struct cli_runopts { #if DROPBEAR_CLI_ANYTCPFWD int exit_on_fwd_failure; #endif + int disable_trivial_auth; #if DROPBEAR_CLI_REMOTETCPFWD m_list * remotefwds; #endif @@ -316,6 +316,7 @@ struct clientsession { int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, for the last type of auth we tried */ + int is_trivial_auth; int ignore_next_auth_response; #if DROPBEAR_CLI_INTERACT_AUTH int auth_interact_failed; /* flag whether interactive auth can still |