summaryrefslogtreecommitdiff
path: root/svr-chansession.c
Commit message (Collapse)AuthorAgeFilesLines
* Add /usr/sbin and /sbin to default root PATHRaphael Hertzog2018-07-091-1/+5
| | | | | | | | | | | | | | | | | | | | | | | When dropbear is used in a very restricted environment (such as in a initrd), the default user shell is often also very restricted and doesn't take care of setting the PATH so the user ends up with the PATH set by dropbear. Unfortunately, dropbear always sets "/usr/bin:/bin" as default PATH even for the root user which should have /usr/sbin and /sbin too. For a concrete instance of this problem, see the "Remote Unlocking" section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/ It speaks of a bug in the initramfs script because it's written "blkid" instead of "/sbin/blkid"... this is just because the scripts from the initramfs do not expect to have a PATH without the sbin directories and because dropbear is not setting the PATH appropriately for the root user. I'm thus suggesting to use the attached patch to fix this misbehaviour (I did not test it, but it's easy enough). It might seem anecdotic but multiple Kali users have been bitten by this. From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
* Expand home path for MOTD fileBegley Brothers Inc2020-07-091-1/+5
| | | | | | Patch modified by Matt Johnston Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
* Allow user space file locations (rootless support)Begley Brothers Inc2020-07-091-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Why: Running dropbear as a user (rootless) is aided if files and programs can be saved/removed without needing sudo. What: Use the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY; if not starting with '/', then is relative to hedge's /home/hedge: *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH default_options.h commentary added. Changes kept to a minimum, so log entry in svr_kex.c#163 is refactored. From: Generated hostkey is <path> ... <finger-print> to: Generated hostkey path is <path> Generated hostkey fingerprint is <fp> Otherwise the unexpanded path was reported. Patch modified by Matt Johnston Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
* set envvar SSH_PUBKEYINFO if authstate.pubkey_info contains informationHansH1112022-03-131-0/+3
|
* Make missing homedir non-fatal, instead use /Matt Johnston2022-02-241-1/+6
| | | | Fixes github #146
* Add re-exec for serverMatt Johnston2022-01-301-3/+0
| | | | | | | | | | | | This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.
* Leave non-interactive at default QoS classMatt Johnston2022-01-271-2/+3
| | | | | | | | Lower class levels are less well defined, and non-interactive SSH can carry various different types of applications. This change also sets lowdelay class (AF21) earlier in an an outbound dbclient session
* Fix accidentally committed debug messageMatt Johnston2022-01-221-1/+0
| | | | | Was added Oct 18 2021 "Only redirect stderr after the session login."
* Only redirect stderr after the session login. That lets errorsMatt Johnston2021-10-181-4/+12
| | | | | get recorded on the server parent side, rather than being sent over a SSH connection.
* Bring back recently removed channel->flushingMatt Johnston2021-10-141-2/+6
| | | | | This resolves the "sleep 10&echo hello" case which should return immediately
* MergeMatt Johnston2021-10-111-6/+17
|\
| * keep LANG env variable for child process (#111)fidomax2021-08-191-0/+9
| |
| * pass on sever process environment to child processes (option -e) (#118)Roland Vollgraf2021-08-191-6/+8
| |
* | Replace ChanType.sepfds with Channel.bidir_fdMatt Johnston2021-10-111-1/+2
| | | | | | | | | | | | | | | | This handles the case where a svrchansess has separate FDs for nopty, but a single FD for pty mode. The use of sepfds was also previously incorrect for X11 and agent forwarding
* | - Remove "flushing" handling for exited processes, it should beMatt Johnston2021-10-111-2/+4
| | | | | | | | | | | | | | handled by normal file descriptor reads. - Fix sesscheckclose() handling if a channel was closed before a process was ever launched
* | Move comment to svr_chansess_checksignal() where it belongsMatt Johnston2021-10-111-9/+8
|/
* Prevent multiple shells being spawnedMatt Johnston2021-03-061-2/+7
| | | | | Existing shells would be leaked. The old check only caught multiple commands, not shells.
* small tidy of "signal" while loopMatt Johnston2021-03-061-3/+1
|
* fuzz: wrap kill()Matt Johnston2021-01-291-0/+4
|
* Avoid gnu extension conditional operatorMatt Johnston2020-10-081-1/+5
|
* Set SSH_ORIGINAL_COMMAND for "dropbear -c" too, fix build withoutMatt Johnston2020-03-141-6/+1
| | | | DROPBEAR_SVR_PUBKEY_OPTIONS
* Support servers without multiple user support (#76)Patrick Stewart2019-03-201-0/+2
|
* Split ChanType closehandler() and cleanup() so that dbclient doesn'tMatt Johnston2018-11-141-4/+21
| | | | lose exit status messages
* more linting (#55)Fran?ois Perrad2018-02-171-2/+2
| | | | | | | | * dropbear_exit: remove priority parameter confusion with dropbear_log() * const parameter
* options: Complete the transition to numeric toggles (`#if')Michael Witten2017-07-201-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For the sake of review, this commit alters only the code; the affiliated comments within the source files also need to be updated, but doing so now would obscure the operational changes that have been made here. * All on/off options have been switched to the numeric `#if' variant; that is the only way to make this `default_options.h.in' thing work in a reasonable manner. * There is now some very minor compile-time checking of the user's choice of options. * NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed. * ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST, and this commit completes that work. * DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option, which was added by the following commit: commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039 Author: Matt Johnston <matt@ucc.asn.au> Date: Tue May 23 22:29:21 2017 +0800 split out checkpubkey_line() separately It has now been added to `sysoptions.h' and defined as `0' by default. * The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in `default_options.h.in'; it is no longer meant to be set by the user, and is instead left to be defined in `sysoptions.h' (where it was already being defined) as merely the name of the environment variable in question: DROPBEAR_PASSWORD To enable or disable use of that environment variable, the user must now toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'. * The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the path of the sFTP server program is set independently through the usual SFTPSERVER_PATH.
* fix compile warningsMatt Johnston2018-02-141-4/+3
|
* make signal flags volatile, simplify handlingMatt Johnston2018-02-141-36/+42
|
* Pointer parameter could be declared as pointing to const (callback)Francois Perrad2017-08-191-4/+4
|
* Pointer parameter could be declared as pointing to constFrancois Perrad2017-08-191-19/+19
|
* initialize variableFrancois Perrad2016-01-011-1/+1
|
* Convert #ifdef to #if, other build changesMatt Johnston2016-05-041-15/+15
|
* Add -c <command> option to force a specific commandJeremy Kerr2016-04-121-2/+10
| | | | | | | | | | | | | | This change adds a -c option to dropbear, to force the session to use a specific command, in a similar fashion to OpenSSH's ForceCommand configuration option. This is useful to provide a simple fixed service over ssh, without requiring an authorized key file for the per-key forced_command option. This setting takes precedence over the channel session's provided command, and the per-key forced_command setting. Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
* Don't display the MOTD when an explicit command is run.Guilhem Moulin2015-10-211-1/+1
| | | | | | (possibly via authorized_keys(5) restrictions), even when a pseudo-terminal has been allocated for the session. In other words, only display the MOTD when the server starts the user's default shell.
* buf_getstring and buf_putstring now use non-unsigned char*Matt Johnston2015-06-041-9/+9
|
* Turn signame local variable into char *Ga?l PORTAY2015-05-021-3/+3
|
* Turn ChanSess's cmd attribute into char *Ga?l PORTAY2015-05-021-1/+1
|
* Turn type local variable into char *Ga?l PORTAY2015-05-031-2/+2
|
* Turn ChanSess's tty and term attributes into char *Ga?l PORTAY2015-05-021-2/+2
|
* Fix pointer differ in signess warnings [-Werror=pointer-sign]Ga?l PORTAY2015-05-021-5/+5
|
* Fix unused make_connection_string() warning [-Werror=unused-function]Ga?l PORTAY2015-05-021-0/+2
| | | | This function is used when USE_VFORK is unset.
* Revert accidental commented out signal handlersMatt Johnston2015-02-241-4/+0
|
* Free memory before exiting. Based on patch from Thorsten Horstmann.Matt Johnston2015-02-241-0/+4
| | | | Client side is not complete.
* Fix for old compilers, variable declarations at beginning of functionsThorsten Horstmann2015-02-241-1/+1
| | | | and /**/ comments
* Combine code for SSH_CONNECTION and SSH_CLIENTMatt Johnston2014-10-211-22/+13
|
* Add SSH_CLIENT environment variableRyan Cleere2014-10-201-0/+22
|
* Make keepalive handling more robust, this should now match what OpenSSH doesMatt Johnston2014-08-191-10/+9
|
* Make sure the check_close() handler runs when a server child process exitsMatt Johnston2014-07-281-0/+3
|
* Set tcp priority as follows:Matt Johnston2014-07-161-1/+6
| | | | | | | | if (connecting || ptys || x11) tos = LOWDELAY; else if (tcp_forwards) tos = 0; else tos = BULK; TCP forwards could be either lowdelay or bulk, hence the default priority.
* - Save errno in signal handlersMatt Johnston2014-02-151-0/+4
| | | | - Use _exit() in segv handler
* - Sockets are set to lowdelay priority initially to improve conneciton setupMatt Johnston2013-12-031-2/+1
| | | | | time - Set non-pty connections to bulk for client and server
View Lorry Controller Status