1From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001 2From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> 3Date: Thu, 19 Aug 2021 17:37:14 +0200 4Subject: [PATCH] added option to disable trivial auth methods (#128) 5 6* added option to disable trivial auth methods 7 8* rename argument to match with other ssh clients 9 10* fixed trivial auth detection for pubkeys 11 12[https://github.com/mkj/dropbear/pull/128] 13Upstream-Status: Backport 14CVE: CVE-2021-36369 15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> 16 17--- 18 cli-auth.c | 3 +++ 19 cli-authinteract.c | 1 + 20 cli-authpasswd.c | 2 +- 21 cli-authpubkey.c | 1 + 22 cli-runopts.c | 7 +++++++ 23 cli-session.c | 1 + 24 runopts.h | 1 + 25 session.h | 1 + 26 8 files changed, 16 insertions(+), 1 deletion(-) 27 28diff --git a/cli-auth.c b/cli-auth.c 29index 2e509e5..6f04495 100644 30--- a/cli-auth.c 31+++ b/cli-auth.c 32@@ -267,6 +267,9 @@ void recv_msg_userauth_success() { 33 if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ 34 35 TRACE(("received msg_userauth_success")) 36+ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { 37+ dropbear_exit("trivial authentication not allowed"); 38+ } 39 /* Note: in delayed-zlib mode, setting authdone here 40 * will enable compression in the transport layer */ 41 ses.authstate.authdone = 1; 42diff --git a/cli-authinteract.c b/cli-authinteract.c 43index e1cc9a1..f7128ee 100644 44--- a/cli-authinteract.c 45+++ b/cli-authinteract.c 46@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { 47 m_free(instruction); 48 49 for (i = 0; i < num_prompts; i++) { 50+ cli_ses.is_trivial_auth = 0; 51 unsigned int response_len = 0; 52 prompt = buf_getstring(ses.payload, NULL); 53 cleantext(prompt); 54diff --git a/cli-authpasswd.c b/cli-authpasswd.c 55index 00fdd8b..a24d43e 100644 56--- a/cli-authpasswd.c 57+++ b/cli-authpasswd.c 58@@ -155,7 +155,7 @@ void cli_auth_password() { 59 60 encrypt_packet(); 61 m_burn(password, strlen(password)); 62- 63+ cli_ses.is_trivial_auth = 0; 64 TRACE(("leave cli_auth_password")) 65 } 66 #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ 67diff --git a/cli-authpubkey.c b/cli-authpubkey.c 68index 42c4e3f..fa01807 100644 69--- a/cli-authpubkey.c 70+++ b/cli-authpubkey.c 71@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, 72 buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); 73 cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); 74 buf_free(sigbuf); /* Nothing confidential in the buffer */ 75+ cli_ses.is_trivial_auth = 0; 76 } 77 78 encrypt_packet(); 79diff --git a/cli-runopts.c b/cli-runopts.c 80index 3654b9a..255b47e 100644 81--- a/cli-runopts.c 82+++ b/cli-runopts.c 83@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { 84 #if DROPBEAR_CLI_ANYTCPFWD 85 cli_opts.exit_on_fwd_failure = 0; 86 #endif 87+ cli_opts.disable_trivial_auth = 0; 88 #if DROPBEAR_CLI_LOCALTCPFWD 89 cli_opts.localfwds = list_new(); 90 opts.listen_fwd_all = 0; 91@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { 92 #if DROPBEAR_CLI_ANYTCPFWD 93 "\tExitOnForwardFailure\n" 94 #endif 95+ "\tDisableTrivialAuth\n" 96 #ifndef DISABLE_SYSLOG 97 "\tUseSyslog\n" 98 #endif 99@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) { 100 return; 101 } 102 103+ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { 104+ cli_opts.disable_trivial_auth = parse_flag_value(optstr); 105+ return; 106+ } 107+ 108 dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); 109 } 110diff --git a/cli-session.c b/cli-session.c 111index 5e5af22..afb54a1 100644 112--- a/cli-session.c 113+++ b/cli-session.c 114@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { 115 /* Auth */ 116 cli_ses.lastprivkey = NULL; 117 cli_ses.lastauthtype = 0; 118+ cli_ses.is_trivial_auth = 1; 119 120 /* For printing "remote host closed" for the user */ 121 ses.remoteclosed = cli_remoteclosed; 122diff --git a/runopts.h b/runopts.h 123index 6a4a94c..01201d2 100644 124--- a/runopts.h 125+++ b/runopts.h 126@@ -159,6 +159,7 @@ typedef struct cli_runopts { 127 #if DROPBEAR_CLI_ANYTCPFWD 128 int exit_on_fwd_failure; 129 #endif 130+ int disable_trivial_auth; 131 #if DROPBEAR_CLI_REMOTETCPFWD 132 m_list * remotefwds; 133 #endif 134diff --git a/session.h b/session.h 135index fb5b8cb..6706592 100644 136--- a/session.h 137+++ b/session.h 138@@ -316,6 +316,7 @@ struct clientsession { 139 140 int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, 141 for the last type of auth we tried */ 142+ int is_trivial_auth; 143 int ignore_next_auth_response; 144 #if DROPBEAR_CLI_INTERACT_AUTH 145 int auth_interact_failed; /* flag whether interactive auth can still 146