From 5b42d8ec15d1ed2b5e12f981a6af8d69d7b0efbc Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Fri, 29 May 2020 16:45:07 -0700 Subject: [PATCH 1/7] MBARI version 2 for ESP embedded systems --- dbutil.c | 2 ++ dbutil.h | 8 +++++++- dropbear.geany | 36 ++++++++++++++++++++++++++++++++++++ localoptions.h | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 dropbear.geany create mode 100644 localoptions.h diff --git a/dbutil.c b/dbutil.c index 32920f793..6f9abc0a1 100644 --- a/dbutil.c +++ b/dbutil.c @@ -552,11 +552,13 @@ void setnonblocking(int fd) { TRACE(("leave setnonblocking")) } +#if !ALLOW_COREDUMPS void disallow_core() { struct rlimit lim; lim.rlim_cur = lim.rlim_max = 0; setrlimit(RLIMIT_CORE, &lim); } +#endif /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE, with the result in *val */ int m_str_to_uint(const char* str, unsigned int *val) { diff --git a/dbutil.h b/dbutil.h index 2a1c82c95..223eb64bf 100644 --- a/dbutil.h +++ b/dbutil.h @@ -68,7 +68,13 @@ int buf_getline(buffer * line, FILE * authfile); void m_close(int fd); void setnonblocking(int fd); -void disallow_core(void); + +#if ALLOW_COREDUMPS +# define disallow_core() +#else + void disallow_core(void); +#endif + int m_str_to_uint(const char* str, unsigned int *val); /* Used to force mp_ints to be initialised */ diff --git a/dropbear.geany b/dropbear.geany new file mode 100644 index 000000000..90f44d2fb --- /dev/null +++ b/dropbear.geany @@ -0,0 +1,36 @@ +[editor] +line_wrapping=false +auto_continue_multiline=false +line_break_column=72 + +[file_prefs] +final_new_line=false +ensure_convert_new_lines=false +strip_trailing_spaces=true +replace_tabs=false + +[indentation] +indent_width=2 +indent_type=2 +indent_hard_tab_width=4 +detect_indent=true +detect_indent_width=true +indent_mode=3 + +[project] +name=dropbear +base_path=. +description= +file_patterns= + +[long line marker] +long_line_behaviour=1 +long_line_column=80 + +[prjorg] +source_patterns=*.c;*.C;*.cpp;*.cxx;*.c++;*.cc;*.m; +header_patterns=*.h;*.H;*.hpp;*.hxx;*.h++;*.hh; +ignored_dirs_patterns=.*;CVS; +ignored_file_patterns=*.o;*.obj;*.a;*.lib;*.so;*.dll;*.lo;*.la;*.class;*.jar;*.pyc;*.mo;*.gmo; +generate_tag_prefs=0 +external_dirs= diff --git a/localoptions.h b/localoptions.h new file mode 100644 index 000000000..910ae3ba7 --- /dev/null +++ b/localoptions.h @@ -0,0 +1,33 @@ +#ifndef DROPBEAR_LOCALOPTIONS_H +#define DROPBEAR_LOCALOPTIONS_H_ +/* + Local options override those in default_options.h for ESP Linux + revised 9/3/19 by Brent Roman, brent@mbari.org +*/ +#define DROPBEAR_VERSION "2019.78-mbari2" + +//do not disallow core dumps! +#define ALLOW_COREDUMPS 1 + +/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save + * several kB in binary size however will make the symmetrical ciphers and hashes + * slower, perhaps by 50%. Recommended for small systems that aren't doing + * much traffic. */ +#define DROPBEAR_SMALL_CODE 0 + +/* RSA must be >=1024 */ + //2048bit keys take up to 20minutes to generate on slow ARM9 processors! +#define DROPBEAR_DEFAULT_RSA_SIZE 1024 + +/* Disable X11 Forwarding */ +#define DROPBEAR_X11FWD 0 + +/* Enable the NONE CIPHER for use when encrpytion isn't needed */ +#define DROPBEAR_NONE_CIPHER 1 + +/* Save a network roundtrip by sending a real auth request immediately after + * sending a query for the available methods. This is not yet enabled by default + since it could cause problems with non-compliant servers */ +#define DROPBEAR_CLI_IMMEDIATE_AUTH 1 + +#endif /* DROPBEAR_LOCALOPTIONS_H_ */ From ddb85090d3307e81bb39e3c82b7aed4fc405f6f4 Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Sat, 30 May 2020 01:07:33 -0700 Subject: [PATCH 2/7] added support for TCP Socket idle keepalives to client (server is next) --- cli-runopts.c | 159 +++++++++++++++++++++++++++---------------------- dropbear.geany | 22 ++++--- dropbearkey.c | 14 ++--- localoptions.h | 11 ++-- netio.c | 62 ++++++++++++------- runopts.h | 18 +++--- svr-auth.c | 34 +++++------ svr-runopts.c | 26 ++++---- 8 files changed, 198 insertions(+), 148 deletions(-) diff --git a/cli-runopts.c b/cli-runopts.c index 7d1fffe66..a11bed177 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -1,19 +1,19 @@ /* * Dropbear - a SSH2 server - * + * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -52,57 +52,58 @@ static void printhelp() { fprintf(stderr, "Dropbear SSH client v%s https://matt.ucc.asn.au/dropbear/dropbear.html\n" #if DROPBEAR_CLI_MULTIHOP - "Usage: %s [options] [user@]host[/port][,[user@]host/port],...] [command]\n" + "Usage: %s [options] [user@]host[/port][,[user@]host/port],...] [command]\n" #else - "Usage: %s [options] [user@]host[/port] [command]\n" -#endif - "-p \n" - "-l \n" - "-t Allocate a pty\n" - "-T Don't allocate a pty\n" - "-N Don't run a remote command\n" - "-f Run in background after auth\n" - "-y Always accept remote host key if unknown\n" - "-y -y Don't perform any remote host key checking (caution)\n" - "-s Request a subsystem (use by external sftp)\n" - "-o option Set option in OpenSSH-like format ('-o help' to list options)\n" + "Usage: %s [options] [user@]host[/port] [command]\n" +#endif + "-p \n" + "-l \n" + "-t Allocate a pty\n" + "-T Don't allocate a pty\n" + "-N Don't run a remote command\n" + "-f Run in background after auth\n" + "-n No compression\n" + "-y Always accept remote host key if unknown\n" + "-y -y Don't perform any remote host key checking (caution)\n" + "-s Request a subsystem (use by external sftp)\n" + "-o option Set option in OpenSSH-like format ('-o help' to list options)\n" #if DROPBEAR_CLI_PUBKEY_AUTH - "-i (multiple allowed, default %s)\n" + "-i (multiple allowed, default %s)\n" #endif #if DROPBEAR_CLI_AGENTFWD - "-A Enable agent auth forwarding\n" + "-A Enable agent auth forwarding\n" #endif #if DROPBEAR_CLI_LOCALTCPFWD - "-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding\n" - "-g Allow remote hosts to connect to forwarded ports\n" + "-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding\n" + "-g Allow remote hosts to connect to forwarded ports\n" #endif #if DROPBEAR_CLI_REMOTETCPFWD - "-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding\n" + "-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding\n" #endif - "-W (default %d, larger may be faster, max 1MB)\n" - "-K (0 is never, default %d)\n" - "-I (0 is never, default %d)\n" + "-W (default %d, larger may be faster, max 1MB)\n" + "-S{idletime} TCP Socket keepalive {optional TCP_KEEPIDLE must follow directly}\n" + "-K SSH channel keepalives (0 is never, default %d)\n" + "-I (0 is never, default %d)\n" #if DROPBEAR_CLI_NETCAT - "-B Netcat-alike forwarding\n" -#endif + "-B Netcat-alike forwarding\n" +#endif #if DROPBEAR_CLI_PROXYCMD - "-J Use program pipe rather than TCP connection\n" + "-J Use program pipe rather than TCP connection\n" #endif #if DROPBEAR_USER_ALGO_LIST - "-c Specify preferred ciphers ('-c help' to list options)\n" - "-m Specify preferred MACs for packet verification (or '-m help')\n" + "-c Specify preferred ciphers ('-c help' to list options)\n" + "-m Specify preferred MACs for packet verification (or '-m help')\n" #endif - "-b [bind_address][:bind_port]\n" - "-V Version\n" + "-b [bind_address][:bind_port]\n" + "-V Version\n" #if DEBUG_TRACE - "-v verbose (compiled with DEBUG_TRACE)\n" + "-v verbose (compiled with DEBUG_TRACE)\n" #endif - ,DROPBEAR_VERSION, cli_opts.progname, + ,DROPBEAR_VERSION, cli_opts.progname, #if DROPBEAR_CLI_PUBKEY_AUTH - DROPBEAR_DEFAULT_CLI_AUTHKEY, + DROPBEAR_DEFAULT_CLI_AUTHKEY, #endif - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); - + DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); } void cli_getopts(int argc, char ** argv) { @@ -186,15 +187,17 @@ void cli_getopts(int argc, char ** argv) { opts.recv_window = DEFAULT_RECV_WINDOW; opts.keepalive_secs = DEFAULT_KEEPALIVE; opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT; + opts.tcp_keepalive = DEFAULT_TCP_ALIVE; fill_own_user(); for (i = 1; i < (unsigned int)argc; i++) { /* Handle non-flag arguments such as hostname or commands for the remote host */ - if (argv[i][0] != '-') + char *cursor = argv[i]; + if (*cursor != '-') { if (host_arg == NULL) { - host_arg = argv[i]; + host_arg = cursor; continue; } /* Commands to pass to the remote host. No more flag handling, @@ -204,7 +207,9 @@ void cli_getopts(int argc, char ** argv) { /* Begins with '-' */ opt = OPT_OTHER; - for (j = 1; (c = argv[i][j]) != '\0' && !next && opt == OPT_OTHER; j++) { + cursor++; + while ((c = *cursor) && !next && opt == OPT_OTHER) { + cursor++; switch (c) { case 'y': /* always accept the remote hostkey */ if (cli_opts.always_accept_key) { @@ -216,6 +221,9 @@ void cli_getopts(int argc, char ** argv) { case 'p': /* remoteport */ next = (char**)&cli_opts.remoteport; break; + case 'n': /* disable stream compression */ + opts.compress_mode = DROPBEAR_COMPRESS_OFF; + break; #if DROPBEAR_CLI_PUBKEY_AUTH case 'i': /* an identityfile */ opt = OPT_AUTHKEY; @@ -278,6 +286,21 @@ void cli_getopts(int argc, char ** argv) { case 'K': next = &keepalive_arg; break; + case 'S': //require that optional idletime to follow directly! + opts.tcp_keepalive = -1; + { + char *end; + long idletime = strtol(cursor, &end, 10); + if (cursor != end) { + if (idletime < 1 || idletime >= (long)LONG_MAX) { + *end=0; + dropbear_exit("Bad TCP_KEEPIDLE '%s'", cursor); + } + opts.tcp_keepalive = idletime; + cursor = end; + } + } + break; case 'I': next = &idle_timeout_arg; break; @@ -329,49 +352,45 @@ void cli_getopts(int argc, char ** argv) { if (!next && opt == OPT_OTHER) /* got a flag */ continue; - if (c == '\0') { - i++; - j = 0; - if (!argv[i]) - dropbear_exit("Missing argument"); - } + if (!c && !(cursor = argv[++i])) + dropbear_exit("Missing argument"); if (opt == OPT_EXTENDED_OPTIONS) { TRACE(("opt extended")) - add_extendedopt(&argv[i][j]); + add_extendedopt(cursor); } else #if DROPBEAR_CLI_PUBKEY_AUTH if (opt == OPT_AUTHKEY) { TRACE(("opt authkey")) - loadidentityfile(&argv[i][j], 1); + loadidentityfile(cursor, 1); } else #endif #if DROPBEAR_CLI_REMOTETCPFWD if (opt == OPT_REMOTETCPFWD) { TRACE(("opt remotetcpfwd")) - addforward(&argv[i][j], cli_opts.remotefwds); + addforward(cursor, cli_opts.remotefwds); } else #endif #if DROPBEAR_CLI_LOCALTCPFWD if (opt == OPT_LOCALTCPFWD) { TRACE(("opt localtcpfwd")) - addforward(&argv[i][j], cli_opts.localfwds); + addforward(cursor, cli_opts.localfwds); } else #endif #if DROPBEAR_CLI_NETCAT if (opt == OPT_NETCAT) { TRACE(("opt netcat")) - add_netcat(&argv[i][j]); + add_netcat(cursor); } else #endif if (next) { /* The previous flag set a value to assign */ - *next = &argv[i][j]; + *next = cursor; if (*next == NULL) dropbear_exit("Invalid null argument"); next = NULL; @@ -412,7 +431,7 @@ void cli_getopts(int argc, char ** argv) { parse_ciphers_macs(); #endif -#if DROPBEAR_CLI_PROXYCMD +#if DROPBEAR_CLI_PROXYCMD if (cli_opts.proxycmd) { /* To match the common path of m_freeing it */ cli_opts.proxycmd = m_strdup(cli_opts.proxycmd); @@ -449,7 +468,7 @@ void cli_getopts(int argc, char ** argv) { && cli_opts.no_cmd == 0) { dropbear_exit("Command required for -f"); } - + if (recv_window_arg) { opts.recv_window = atol(recv_window_arg); if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) { @@ -570,7 +589,7 @@ multihop_passthrough_args() { #endif /* DROPBEAR_CLI_PUBKEY_AUTH */ /* if args were passed, total will be not zero, and it will have a space at the end, so remove that */ - if (total > 0) + if (total > 0) { total--; } @@ -601,8 +620,8 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0) * for our multihop syntax, so we suture it back together. * This will break usernames that have both '@' and ',' in them, * though that should be fairly uncommon. */ - if (cli_opts.username - && strchr(cli_opts.username, ',') + if (cli_opts.username + && strchr(cli_opts.username, ',') && strchr(cli_opts.username, '@')) { unsigned int len = strlen(orighostarg) + strlen(cli_opts.username) + 2; hostbuf = m_malloc(len); @@ -635,13 +654,13 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0) if (cli_opts.remoteport == NULL) { cli_opts.remoteport = "22"; } - cmd_len = strlen(argv0) + strlen(remainder) + cmd_len = strlen(argv0) + strlen(remainder) + strlen(cli_opts.remotehost) + strlen(cli_opts.remoteport) + strlen(passthrough_args) + 30; cli_opts.proxycmd = m_malloc(cmd_len); - snprintf(cli_opts.proxycmd, cmd_len, "%s -B %s:%s %s %s", - argv0, cli_opts.remotehost, cli_opts.remoteport, + snprintf(cli_opts.proxycmd, cmd_len, "%s -B %s:%s %s %s", + argv0, cli_opts.remotehost, cli_opts.remoteport, passthrough_args, remainder); #ifndef DISABLE_ZLIB /* The stream will be incompressible since it's encrypted. */ @@ -693,9 +712,9 @@ static void parse_hostname(const char* orighostarg) { #if DROPBEAR_CLI_NETCAT static void add_netcat(const char* origstr) { char *portstr = NULL; - + char * str = m_strdup(origstr); - + portstr = strchr(str, ':'); if (portstr == NULL) { TRACE(("No netcat port")) @@ -703,25 +722,25 @@ static void add_netcat(const char* origstr) { } *portstr = '\0'; portstr++; - + if (strchr(portstr, ':')) { TRACE(("Multiple netcat colons")) goto fail; } - + if (m_str_to_uint(portstr, &cli_opts.netcat_port) == DROPBEAR_FAILURE) { TRACE(("bad netcat port")) goto fail; } - + if (cli_opts.netcat_port > 65535) { TRACE(("too large netcat port")) goto fail; } - + cli_opts.netcat_host = str; return; - + fail: dropbear_exit("Bad netcat endpoint '%s'", origstr); } @@ -729,7 +748,7 @@ static void add_netcat(const char* origstr) { static void fill_own_user() { uid_t uid; - struct passwd *pw = NULL; + struct passwd *pw = NULL; uid = getuid(); @@ -759,7 +778,7 @@ static void addforward(const char* origstr, m_list *fwdlist) { TRACE(("enter addforward")) /* We need to split the original argument up. This var - is never free()d. */ + is never free()d. */ str = m_strdup(origstr); part1 = str; @@ -819,7 +838,7 @@ static void addforward(const char* origstr, m_list *fwdlist) { TRACE(("listenport > 65535")) goto badport; } - + if (newfwd->connectport > 65535) { TRACE(("connectport > 65535")) goto badport; diff --git a/dropbear.geany b/dropbear.geany index 90f44d2fb..20e29122b 100644 --- a/dropbear.geany +++ b/dropbear.geany @@ -1,7 +1,7 @@ [editor] line_wrapping=false auto_continue_multiline=false -line_break_column=72 +line_break_column=80 [file_prefs] final_new_line=false @@ -10,8 +10,8 @@ strip_trailing_spaces=true replace_tabs=false [indentation] -indent_width=2 -indent_type=2 +indent_width=3 +indent_type=1 indent_hard_tab_width=4 detect_indent=true detect_indent_width=true @@ -19,9 +19,9 @@ indent_mode=3 [project] name=dropbear -base_path=. -description= -file_patterns= +base_path=./ +description=Dropbear SSH +file_patterns=*.c;*.h; [long line marker] long_line_behaviour=1 @@ -32,5 +32,13 @@ source_patterns=*.c;*.C;*.cpp;*.cxx;*.c++;*.cc;*.m; header_patterns=*.h;*.H;*.hpp;*.hxx;*.h++;*.hh; ignored_dirs_patterns=.*;CVS; ignored_file_patterns=*.o;*.obj;*.a;*.lib;*.so;*.dll;*.lo;*.la;*.class;*.jar;*.pyc;*.mo;*.gmo; -generate_tag_prefs=0 +generate_tag_prefs=1 external_dirs= + +[build-menu] +NF_00_LB=_Make +NF_00_CM=make +NF_00_WD= +NF_01_LB=Make Custom _Target... +NF_01_CM=make +NF_01_WD= diff --git a/dropbearkey.c b/dropbearkey.c index dd0e69798..7480ab693 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -1,19 +1,19 @@ /* * Dropbear - a SSH2 server - * + * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -33,7 +33,7 @@ * mp_int n * mp_int d * mp_int p (newer versions only) - * mp_int q (newer versions only) + * mp_int q (newer versions only) * * DSS: * string "ssh-dss" @@ -149,7 +149,7 @@ int main(int argc, char ** argv) { for (i = 1; i < argc; i++) { if (argv[i] == NULL) { continue; /* Whack */ - } + } if (next) { *next = argv[i]; next = NULL; @@ -236,7 +236,7 @@ int main(int argc, char ** argv) { fprintf(stderr, "Bits must be an integer\n"); exit(EXIT_FAILURE); } - + check_signkey_bits(keytype, bits);; } diff --git a/localoptions.h b/localoptions.h index 910ae3ba7..42c884533 100644 --- a/localoptions.h +++ b/localoptions.h @@ -2,9 +2,12 @@ #define DROPBEAR_LOCALOPTIONS_H_ /* Local options override those in default_options.h for ESP Linux - revised 9/3/19 by Brent Roman, brent@mbari.org + revised 5/29/20 by Brent Roman, brent@mbari.org */ -#define DROPBEAR_VERSION "2019.78-mbari2" +#define DROPBEAR_VERSION "2019.78-mbari3" + +//verbose debugging +#define DEBUG_TRACE 1 //do not disallow core dumps! #define ALLOW_COREDUMPS 1 @@ -26,8 +29,8 @@ #define DROPBEAR_NONE_CIPHER 1 /* Save a network roundtrip by sending a real auth request immediately after - * sending a query for the available methods. This is not yet enabled by default - since it could cause problems with non-compliant servers */ + * sending a query for the available methods. This is not yet enabled by default + since it could cause problems with non-compliant servers */ #define DROPBEAR_CLI_IMMEDIATE_AUTH 1 #endif /* DROPBEAR_LOCALOPTIONS_H_ */ diff --git a/netio.c b/netio.c index 84520032f..995a66d72 100644 --- a/netio.c +++ b/netio.c @@ -4,6 +4,11 @@ #include "session.h" #include "debug.h" +#include "runopts.h" + +extern runopts opts; /* GLOBAL */ + + struct dropbear_progress_connection { struct addrinfo *res; struct addrinfo *res_iter; @@ -84,7 +89,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { int len = 100 + strlen(gai_strerror(err)); m_free(c->errstring); c->errstring = (char*)m_malloc(len); - snprintf(c->errstring, len, "Error resolving bind address '%s' (port %s). %s", + snprintf(c->errstring, len, "Error resolving bind address '%s' (port %s). %s", c->bind_address, c->bind_port, gai_strerror(err)); TRACE(("Error resolving bind: %s", gai_strerror(err))) close(c->sock); @@ -100,7 +105,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { int len = 300; m_free(c->errstring); c->errstring = m_malloc(len); - snprintf(c->errstring, len, "Error binding local address '%s' (port %s). %s", + snprintf(c->errstring, len, "Error binding local address '%s' (port %s). %s", c->bind_address, c->bind_port, strerror(keep_errno)); close(c->sock); c->sock = -1; @@ -131,7 +136,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { if (errno != EINPROGRESS) { m_free(c->errstring); c->errstring = m_strdup(strerror(errno)); - /* Not entirely sure which kind of errors are normal - 2.6.32 seems to + /* Not entirely sure which kind of errors are normal - 2.6.32 seems to return EPIPE for any (nonblocking?) sendmsg(). just fall back */ TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); /* No kernel MSG_FASTOPEN support. Fall back below */ @@ -172,7 +177,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { /* Connect via TCP to a host. */ struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, - connect_callback cb, void* cb_data, + connect_callback cb, void* cb_data, const char* bind_address, const char* bind_port) { struct dropbear_progress_connection *c = NULL; @@ -197,13 +202,13 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons int len; len = 100 + strlen(gai_strerror(err)); c->errstring = (char*)m_malloc(len); - snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", + snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", remotehost, remoteport, gai_strerror(err)); TRACE(("Error resolving: %s", gai_strerror(err))) } else { c->res_iter = c->res; } - + if (bind_address) { c->bind_address = m_strdup(bind_address); } @@ -278,7 +283,7 @@ void handle_connect_fds(const fd_set *writefd) { remove_connect(c, iter); TRACE(("leave handle_connect_fds - success")) /* Must return here - remove_connect() invalidates iter */ - return; + return; } } } @@ -334,11 +339,25 @@ void packet_queue_consume(struct Queue *queue, ssize_t written) { } void set_sock_nodelay(int sock) { - int val; + time_t keepidle = opts.tcp_keepalive; - /* disable nagle */ - val = 1; - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); + int val = 1; /* disable nagle and optionally enable tcp keepalive probes */ + setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); + + if (keepidle) { + if (keepidle < 0 && opts.keepalive_secs) { + //start probing only after ssh keep alives should have terminated session + keepidle = opts.keepalive_secs * DEFAULT_KEEPALIVE_LIMIT; + } + if (keepidle > 0 && + setsockopt(sock, IPPROTO_TCP, TCP_KEEPIDLE, + &keepidle, sizeof(keepidle))) { + TRACE(("TCP_KEEPIDLE failed for socket %d: %s",sock, strerror(errno))); + } + if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &val, sizeof(val))) { + TRACE(("TCP KeepAlive failed for socket %d: %s",sock,strerror(errno))); + } + } } #if DROPBEAR_SERVER_TCP_FAST_OPEN @@ -348,7 +367,6 @@ void set_listen_fast_open(int sock) { TRACE(("set_listen_fast_open failed for socket %d: %s", sock, strerror(errno))) } } - #endif void set_sock_priority(int sock, enum dropbear_prio prio) { @@ -436,7 +454,7 @@ int get_sock_port(int sock) { return atoi(strport); } -/* Listen on address:port. +/* Listen on address:port. * Special cases are address of "" listening on everything, * and address of NULL listening on localhost only. * Returns the number of sockets bound on success, or -1 on failure. On @@ -453,7 +471,7 @@ int dropbear_listen(const char* address, const char* port, int sock; TRACE(("enter dropbear_listen")) - + memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */ hints.ai_socktype = SOCK_STREAM; @@ -534,7 +552,7 @@ int dropbear_listen(const char* address, const char* port, #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) if (res->ai_family == AF_INET6) { int on = 1; - if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) == -1) { dropbear_log(LOG_WARNING, "Couldn't set IPV6_V6ONLY"); } @@ -598,39 +616,39 @@ void get_socket_address(int fd, char **local_host, char **local_port, return; } #endif - + if (local_host || local_port) { addrlen = sizeof(addr); if (getsockname(fd, (struct sockaddr*)&addr, &addrlen) < 0) { dropbear_exit("Failed socket address: %s", strerror(errno)); } - getaddrstring(&addr, local_host, local_port, host_lookup); + getaddrstring(&addr, local_host, local_port, host_lookup); } if (remote_host || remote_port) { addrlen = sizeof(addr); if (getpeername(fd, (struct sockaddr*)&addr, &addrlen) < 0) { dropbear_exit("Failed socket address: %s", strerror(errno)); } - getaddrstring(&addr, remote_host, remote_port, host_lookup); + getaddrstring(&addr, remote_host, remote_port, host_lookup); } } /* Return a string representation of the socket address passed. The return * value is allocated with malloc() */ -void getaddrstring(struct sockaddr_storage* addr, +void getaddrstring(struct sockaddr_storage* addr, char **ret_host, char **ret_port, int host_lookup) { char host[NI_MAXHOST+1], serv[NI_MAXSERV+1]; unsigned int len; int ret; - + int flags = NI_NUMERICSERV | NI_NUMERICHOST; #if !DO_HOST_LOOKUP host_lookup = 0; #endif - + if (host_lookup) { flags = NI_NUMERICSERV; } @@ -651,7 +669,7 @@ void getaddrstring(struct sockaddr_storage* addr, #endif #endif - ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, + ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, serv, sizeof(serv)-1, flags); if (ret != 0) { diff --git a/runopts.h b/runopts.h index 31eae1fa3..3064a88ed 100644 --- a/runopts.h +++ b/runopts.h @@ -1,19 +1,19 @@ /* * Dropbear - a SSH2 server - * + * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -40,6 +40,8 @@ typedef struct runopts { unsigned int recv_window; time_t keepalive_secs; /* Time between sending keepalives. 0 is off */ time_t idle_timeout_secs; /* Exit if no traffic is sent/received in this time */ + time_t tcp_keepalive; /* TCP keepalive idle secs */ + /* or default tcp_keepidle if < 0 */ int usingsyslog; #ifndef DISABLE_ZLIB @@ -62,7 +64,7 @@ typedef struct runopts { extern runopts opts; -int readhostkey(const char * filename, sign_key * hostkey, +int readhostkey(const char * filename, sign_key * hostkey, enum signkey_type *type); void load_all_hostkeys(void); @@ -72,7 +74,7 @@ typedef struct svr_runopts { int forkbg; - /* ports and addresses are arrays of the portcount + /* ports and addresses are arrays of the portcount listening ports. strings are malloced. */ char *ports[DROPBEAR_MAX_PORTS]; unsigned int portcount; @@ -94,7 +96,7 @@ typedef struct svr_runopts { int norootlogin; #ifdef HAVE_GETGROUPLIST - /* restrict_group is the group name if group restriction was enabled, + /* restrict_group is the group name if group restriction was enabled, NULL otherwise */ char *restrict_group; /* restrict_group_gid is only valid if restrict_group is set */ @@ -162,7 +164,7 @@ typedef struct cli_runopts { #endif #if DROPBEAR_CLI_AGENTFWD int agent_fwd; - int agent_keys_loaded; /* whether pubkeys has been populated with a + int agent_keys_loaded; /* whether pubkeys has been populated with a list of keys held by the agent */ int agent_fd; /* The agent fd is only set during authentication. Forwarded agent sessions have their own file descriptors */ diff --git a/svr-auth.c b/svr-auth.c index 7575f9031..69c43abb9 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -1,19 +1,19 @@ /* * Dropbear - a SSH2 server - * + * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -103,7 +103,7 @@ void recv_msg_userauth_request() { if (servicelen != SSH_SERVICE_CONNECTION_LEN && (strncmp(servicename, SSH_SERVICE_CONNECTION, SSH_SERVICE_CONNECTION_LEN) != 0)) { - + /* TODO - disconnect here */ m_free(username); m_free(servicename); @@ -111,7 +111,7 @@ void recv_msg_userauth_request() { dropbear_exit("unknown service in auth"); } - /* check username is good before continuing. + /* check username is good before continuing. * the 'incrfail' varies depending on the auth method to * avoid giving away which users exist on the system through * the time delay. */ @@ -127,10 +127,10 @@ void recv_msg_userauth_request() { if (valid_user && svr_opts.allowblankpass && !svr_opts.noauthpass - && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) - && ses.authstate.pw_passwd[0] == '\0') + && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) + && ses.authstate.pw_passwd[0] == '\0') { - dropbear_log(LOG_NOTICE, + dropbear_log(LOG_NOTICE, "Auth succeeded with blank password for '%s' from %s", ses.authstate.pw_name, svr_ses.addrstring); @@ -144,7 +144,7 @@ void recv_msg_userauth_request() { goto out; } } - + #if DROPBEAR_SVR_PASSWORD_AUTH if (!svr_opts.noauthpass && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { @@ -335,7 +335,7 @@ static int checkusername(const char *username, unsigned int userlen) { dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", ses.authstate.pw_name); return DROPBEAR_FAILURE; - + goodshell: endusershell(); TRACE(("matching shell")) @@ -357,7 +357,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { TRACE(("enter send_msg_userauth_failure")) CHECKCLEARTOWRITE(); - + buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); /* put a list of allowed types */ @@ -369,7 +369,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { buf_putbyte(typebuf, ','); } } - + if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); } @@ -410,7 +410,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { genrandom((unsigned char*)&rand_delay, sizeof(rand_delay)); rand_delay = mindelay + (rand_delay % vardelay); - if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) { + if (delay.tv_sec == 0 && delay.tv_nsec <= (int)mindelay) { /* Compensate for elapsed time */ delay.tv_nsec = rand_delay - delay.tv_nsec; } else { @@ -443,7 +443,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { dropbear_exit("Max auth tries reached - user '%s' from %s", userstr, svr_ses.addrstring); } - + TRACE(("leave send_msg_userauth_failure")) } @@ -457,7 +457,7 @@ void send_msg_userauth_success() { buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS); encrypt_packet(); - /* authdone must be set after encrypt_packet() for + /* authdone must be set after encrypt_packet() for * delayed-zlib mode */ ses.authstate.authdone = 1; ses.connect_time = 0; @@ -469,7 +469,7 @@ void send_msg_userauth_success() { /* Remove from the list of pre-auth sockets. Should be m_close(), since if * we fail, we might end up leaking connection slots, and disallow new - * logins - a nasty situation. */ + * logins - a nasty situation. */ m_close(svr_ses.childpipe); TRACE(("leave send_msg_userauth_success")) diff --git a/svr-runopts.c b/svr-runopts.c index d6c78df4e..3ad588e2d 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -1,19 +1,19 @@ /* * Dropbear - a SSH2 server - * + * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -58,7 +58,7 @@ static void printhelp(const char * progname) { " ecdsa %s\n" #endif #if DROPBEAR_DELAY_HOSTKEY - "-R Create hostkeys as required\n" + "-R Create hostkeys as required\n" #endif "-F Don't fork into background\n" #ifdef DISABLE_SYSLOG @@ -159,7 +159,7 @@ void svr_getopts(int argc, char ** argv) { #ifndef DISABLE_ZLIB opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; -#endif +#endif /* not yet opts.ipv4 = 1; @@ -174,7 +174,7 @@ void svr_getopts(int argc, char ** argv) { opts.recv_window = DEFAULT_RECV_WINDOW; opts.keepalive_secs = DEFAULT_KEEPALIVE; opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT; - + #if DROPBEAR_SVR_REMOTETCPFWD opts.listen_fwd_all = 0; #endif @@ -332,7 +332,7 @@ void svr_getopts(int argc, char ** argv) { dropbear_exit("Error opening banner file '%s'", svr_opts.bannerfile); } - + if (buf.st_size > MAX_BANNER_SIZE) { dropbear_exit("Banner file too large, max is %d bytes", MAX_BANNER_SIZE); @@ -357,7 +357,7 @@ void svr_getopts(int argc, char ** argv) { } } #endif - + if (recv_window_arg) { opts.recv_window = atol(recv_window_arg); if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) { @@ -367,14 +367,14 @@ void svr_getopts(int argc, char ** argv) { if (maxauthtries_arg) { unsigned int val = 0; - if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE + if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE || val == 0) { dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg); } svr_opts.maxauthtries = val; } - + if (keepalive_arg) { unsigned int val; if (m_str_to_uint(keepalive_arg, &val) == DROPBEAR_FAILURE) { @@ -428,7 +428,7 @@ static void addportandaddress(const char* spec) { port = myspec; } else { /* Split the address/port */ - port[0] = '\0'; + port[0] = '\0'; port++; address = myspec; } @@ -577,7 +577,7 @@ void load_all_hostkeys() { - Otherwise no ecdsa keys will be advertised */ /* check if any keys were loaded at startup */ - loaded_any_ecdsa = + loaded_any_ecdsa = 0 #if DROPBEAR_ECC_256 || svr_opts.hostkey->ecckey256 From c647a288c3f64a523776d4e97fb62fca48ade6ad Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Sat, 30 May 2020 12:49:03 -0700 Subject: [PATCH 3/7] Added TCP Socket keepalives and compressing disable to server --- cli-runopts.c | 12 +++-- svr-runopts.c | 135 ++++++++++++++++++++++++++++---------------------- 2 files changed, 85 insertions(+), 62 deletions(-) diff --git a/cli-runopts.c b/cli-runopts.c index a11bed177..1364dcbdc 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -62,7 +62,9 @@ static void printhelp() { "-T Don't allocate a pty\n" "-N Don't run a remote command\n" "-f Run in background after auth\n" +#ifndef DISABLE_ZLIB "-n No compression\n" +#endif "-y Always accept remote host key if unknown\n" "-y -y Don't perform any remote host key checking (caution)\n" "-s Request a subsystem (use by external sftp)\n" @@ -107,7 +109,7 @@ static void printhelp() { } void cli_getopts(int argc, char ** argv) { - unsigned int i, j; + unsigned i; char ** next = NULL; enum { OPT_EXTENDED_OPTIONS, @@ -221,9 +223,11 @@ void cli_getopts(int argc, char ** argv) { case 'p': /* remoteport */ next = (char**)&cli_opts.remoteport; break; +#ifndef DISABLE_ZLIB case 'n': /* disable stream compression */ opts.compress_mode = DROPBEAR_COMPRESS_OFF; break; +#endif #if DROPBEAR_CLI_PUBKEY_AUTH case 'i': /* an identityfile */ opt = OPT_AUTHKEY; @@ -286,7 +290,7 @@ void cli_getopts(int argc, char ** argv) { case 'K': next = &keepalive_arg; break; - case 'S': //require that optional idletime to follow directly! + case 'S': //require optional idletime follow directly! opts.tcp_keepalive = -1; { char *end; @@ -390,8 +394,7 @@ void cli_getopts(int argc, char ** argv) { #endif if (next) { /* The previous flag set a value to assign */ - *next = cursor; - if (*next == NULL) + if (!(*next = cursor)) dropbear_exit("Invalid null argument"); next = NULL; } @@ -408,6 +411,7 @@ void cli_getopts(int argc, char ** argv) { if (i < (unsigned int)argc) { /* Build the command to send */ + unsigned j; cmdlen = 0; for (j = i; j < (unsigned int)argc; j++) cmdlen += strlen(argv[j]) + 1; /* +1 for spaces */ diff --git a/svr-runopts.c b/svr-runopts.c index 3ad588e2d..9bc1f5b42 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -42,85 +42,88 @@ static void addhostkey(const char *keyfile); static void printhelp(const char * progname) { fprintf(stderr, "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html\n" - "Usage: %s [options]\n" - "-b bannerfile Display the contents of bannerfile" - " before user login\n" - " (default: none)\n" - "-r keyfile Specify hostkeys (repeatable)\n" - " defaults: \n" + "Usage: %s [options]\n" + "-b bannerfile Display the contents of bannerfile" + " before user login\n" + " (default: none)\n" + "-r keyfile Specify hostkeys (repeatable). Defaults:\n" #if DROPBEAR_DSS - " dss %s\n" + " dss %s\n" #endif #if DROPBEAR_RSA - " rsa %s\n" + " rsa %s\n" #endif #if DROPBEAR_ECDSA - " ecdsa %s\n" + " ecdsa %s\n" #endif #if DROPBEAR_DELAY_HOSTKEY - "-R Create hostkeys as required\n" + "-R Create hostkeys as required\n" +#endif + "-F Don't fork into background\n" +#ifndef DISABLE_ZLIB + "-n No compression\n" #endif - "-F Don't fork into background\n" #ifdef DISABLE_SYSLOG - "(Syslog support not compiled in, using stderr)\n" + "(Syslog support not compiled in, using stderr)\n" #else - "-E Log to stderr rather than syslog\n" + "-E Log to stderr rather than syslog\n" #endif #if DO_MOTD - "-m Don't display the motd on login\n" + "-m Don't display the motd on login\n" #endif - "-w Disallow root logins\n" + "-w Disallow root logins\n" #ifdef HAVE_GETGROUPLIST - "-G Restrict logins to members of specified group\n" + "-G Restrict logins to members of specified group\n" #endif #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH - "-s Disable password logins\n" - "-g Disable password logins for root\n" - "-B Allow blank password logins\n" + "-s Disable password logins\n" + "-g Disable password logins for root\n" + "-B Allow blank password logins\n" #endif - "-T Maximum authentication tries (default %d)\n" + "-T Maximum authentication tries (default %d)\n" #if DROPBEAR_SVR_LOCALTCPFWD - "-j Disable local port forwarding\n" + "-j Disable local port forwarding\n" #endif #if DROPBEAR_SVR_REMOTETCPFWD - "-k Disable remote port forwarding\n" - "-a Allow connections to forwarded ports from any host\n" - "-c command Force executed command\n" -#endif - "-p [address:]port\n" - " Listen on specified tcp port (and optionally address),\n" - " up to %d can be specified\n" - " (default port is %s if none specified)\n" - "-P PidFile Create pid file PidFile\n" - " (default %s)\n" + "-k Disable remote port forwarding\n" + "-a Allow connections to forwarded ports from any host\n" + "-c command Force executed command\n" +#endif + "-p [address:]port\n" + " Listen on specified tcp port (and optionally address),\n" + " up to %d can be specified\n" + " (default port is %s if none specified)\n" + "-P PidFile Create pid file PidFile\n" + " (default %s)\n" #if INETD_MODE - "-i Start for inetd\n" + "-i Start for inetd\n" #endif - "-W (default %d, larger may be faster, max 1MB)\n" - "-K (0 is never, default %d, in seconds)\n" - "-I (0 is never, default %d, in seconds)\n" - "-V Version\n" + "-W (default %d, larger may be faster, max 1MB)\n" + "-S{idletime} TCP Socket keepalive {optional TCP_KEEPIDLE must follow directly}\n" + "-K SSH channel keepalives (0 is never, default %d)\n" + "-I (0 is never, default %d, in seconds)\n" + "-V Version\n" #if DEBUG_TRACE - "-v verbose (compiled with DEBUG_TRACE)\n" + "-v verbose (compiled with DEBUG_TRACE)\n" #endif - ,DROPBEAR_VERSION, progname, + ,DROPBEAR_VERSION, progname, #if DROPBEAR_DSS - DSS_PRIV_FILENAME, + DSS_PRIV_FILENAME, #endif #if DROPBEAR_RSA - RSA_PRIV_FILENAME, + RSA_PRIV_FILENAME, #endif #if DROPBEAR_ECDSA - ECDSA_PRIV_FILENAME, + ECDSA_PRIV_FILENAME, #endif - MAX_AUTH_TRIES, - DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); + MAX_AUTH_TRIES, + DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, + DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); } void svr_getopts(int argc, char ** argv) { - unsigned int i, j; + unsigned i; char ** next = NULL; int nextisport = 0; char* recv_window_arg = NULL; @@ -174,16 +177,19 @@ void svr_getopts(int argc, char ** argv) { opts.recv_window = DEFAULT_RECV_WINDOW; opts.keepalive_secs = DEFAULT_KEEPALIVE; opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT; + opts.tcp_keepalive = DEFAULT_TCP_ALIVE; #if DROPBEAR_SVR_REMOTETCPFWD opts.listen_fwd_all = 0; #endif for (i = 1; i < (unsigned int)argc; i++) { - if (argv[i][0] != '-' || argv[i][1] == '\0') + char *cursor = argv[i]; + if (*cursor != '-' || !*++cursor) dropbear_exit("Invalid argument: %s", argv[i]); - for (j = 1; (c = argv[i][j]) != '\0' && !next && !nextisport; j++) { + while ((c = *cursor) && !next && !nextisport) { + cursor++; switch (c) { case 'b': next = &svr_opts.bannerfile; @@ -223,6 +229,11 @@ void svr_getopts(int argc, char ** argv) { case 'i': svr_opts.inetdmode = 1; break; +#endif +#ifndef DISABLE_ZLIB + case 'n': /* disable stream compression */ + opts.compress_mode = DROPBEAR_COMPRESS_OFF; + break; #endif case 'p': nextisport = 1; @@ -250,6 +261,21 @@ void svr_getopts(int argc, char ** argv) { case 'K': next = &keepalive_arg; break; + case 'S': //require optional idletime follow directly! + opts.tcp_keepalive = -1; + { + char *end; + long idletime = strtol(cursor, &end, 10); + if (cursor != end) { + if (idletime < 1 || idletime >= (long)LONG_MAX) { + *end=0; + dropbear_exit("Bad TCP_KEEPIDLE '%s'", cursor); + } + opts.tcp_keepalive = idletime; + cursor = end; + } + } + break; case 'I': next = &idle_timeout_arg; break; @@ -294,22 +320,15 @@ void svr_getopts(int argc, char ** argv) { if (!next && !nextisport) continue; - if (c == '\0') { - i++; - j = 0; - if (!argv[i]) { - dropbear_exit("Missing argument"); - } - } + if (!c && !(cursor = argv[++i])) + dropbear_exit("Missing argument"); if (nextisport) { - addportandaddress(&argv[i][j]); + addportandaddress(cursor); nextisport = 0; } else if (next) { - *next = &argv[i][j]; - if (*next == NULL) { + if (!(*next = cursor)) dropbear_exit("Invalid null argument"); - } next = NULL; if (keyfile) { From 002c270c7ce071191b8ff16e7e05cda10f18c808 Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Sat, 30 May 2020 13:00:10 -0700 Subject: [PATCH 4/7] for github --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 000000000..958d21e84 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +This fork of the dropbear SSH suite adds: + +-S option for TCP Socket Keepalives (similar to OpenSSH TCPKeepAlive option) + +-n flag to disable compression + +it also allows core dumps by programs spawned in remote shells. +(ALLOW_COREDUMPS) From 0d56bee641c83d4ce6e649a714400ed3d280efbe Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Sat, 30 May 2020 13:59:31 -0700 Subject: [PATCH 5/7] missed change because file was in .gitignore --- default_options_guard.h | 490 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 490 insertions(+) create mode 100644 default_options_guard.h diff --git a/default_options_guard.h b/default_options_guard.h new file mode 100644 index 000000000..7016c0a0c --- /dev/null +++ b/default_options_guard.h @@ -0,0 +1,490 @@ +/* + > > > Do not edit this file (default_options_guard.h) < < < +Generated from default_options.h +Local customisation goes in localoptions.h +*/ + +#ifndef DROPBEAR_DEFAULT_OPTIONS_H_ +#define DROPBEAR_DEFAULT_OPTIONS_H_ +/* + > > > Read This < < < + +default_options.h documents compile-time options, and provides default values. + +Local customisation should be added to localoptions.h which is +used if it exists in the build directory. Options defined there will override +any options in this file. + +Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS + +IMPORTANT: Some options will require "make clean" after changes */ + +#ifndef DROPBEAR_DEFPORT +#define DROPBEAR_DEFPORT "22" +#endif + +/* Listen on all interfaces */ +#ifndef DROPBEAR_DEFADDRESS +#define DROPBEAR_DEFADDRESS "" +#endif + +/* Default hostkey paths - these can be specified on the command line */ +#ifndef DSS_PRIV_FILENAME +#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" +#endif +#ifndef RSA_PRIV_FILENAME +#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" +#endif +#ifndef ECDSA_PRIV_FILENAME +#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" +#endif +#ifndef ED25519_PRIV_FILENAME +#define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key" +#endif + +/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens + * on chosen ports and keeps accepting connections. This is the default. + * + * Set INETD_MODE if you want to be able to run Dropbear with inetd (or + * similar), where it will use stdin/stdout for connections, and each process + * lasts for a single connection. Dropbear should be invoked with the -i flag + * for inetd, and can only accept IPv4 connections. + * + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ +#ifndef NON_INETD_MODE +#define NON_INETD_MODE 1 +#endif +#ifndef INETD_MODE +#define INETD_MODE 1 +#endif + +/* Include verbose debug output, enabled with -v at runtime. + * This will add a reasonable amount to your executable size. */ +#ifndef DEBUG_TRACE +#define DEBUG_TRACE 0 +#endif + +/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save + * several kB in binary size however will make the symmetrical ciphers and hashes + * slower, perhaps by 50%. Recommended for small systems that aren't doing + * much traffic. */ +#ifndef DROPBEAR_SMALL_CODE +#define DROPBEAR_SMALL_CODE 1 +#endif + +/* Enable X11 Forwarding - server only */ +#ifndef DROPBEAR_X11FWD +#define DROPBEAR_X11FWD 1 +#endif + +/* Enable TCP Fowarding */ +/* 'Local' is "-L" style (client listening port forwarded via server) + * 'Remote' is "-R" style (server listening port forwarded via client) */ +#ifndef DROPBEAR_CLI_LOCALTCPFWD +#define DROPBEAR_CLI_LOCALTCPFWD 1 +#endif +#ifndef DROPBEAR_CLI_REMOTETCPFWD +#define DROPBEAR_CLI_REMOTETCPFWD 1 +#endif + +#ifndef DROPBEAR_SVR_LOCALTCPFWD +#define DROPBEAR_SVR_LOCALTCPFWD 1 +#endif +#ifndef DROPBEAR_SVR_REMOTETCPFWD +#define DROPBEAR_SVR_REMOTETCPFWD 1 +#endif + +/* Enable Authentication Agent Forwarding */ +#ifndef DROPBEAR_SVR_AGENTFWD +#define DROPBEAR_SVR_AGENTFWD 1 +#endif +#ifndef DROPBEAR_CLI_AGENTFWD +#define DROPBEAR_CLI_AGENTFWD 1 +#endif + +/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to + * allow multihop dbclient connections */ + +/* Allow using -J to run the connection through a + pipe to a program, rather the normal TCP connection */ +#ifndef DROPBEAR_CLI_PROXYCMD +#define DROPBEAR_CLI_PROXYCMD 1 +#endif + +/* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +#ifndef DROPBEAR_CLI_NETCAT +#define DROPBEAR_CLI_NETCAT 1 +#endif + +/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ +#ifndef DROPBEAR_USER_ALGO_LIST +#define DROPBEAR_USER_ALGO_LIST 1 +#endif + +/* Encryption - at least one required. + * AES128 should be enabled, some very old implementations might only + * support 3DES. + * Including both AES keysize variants (128 and 256) will result in + * a minimal size increase */ +#ifndef DROPBEAR_AES128 +#define DROPBEAR_AES128 1 +#endif +#ifndef DROPBEAR_3DES +#define DROPBEAR_3DES 1 +#endif +#ifndef DROPBEAR_AES256 +#define DROPBEAR_AES256 1 +#endif +#ifndef DROPBEAR_TWOFISH256 +#define DROPBEAR_TWOFISH256 0 +#endif +#ifndef DROPBEAR_TWOFISH128 +#define DROPBEAR_TWOFISH128 0 +#endif +/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ +#ifndef DROPBEAR_BLOWFISH +#define DROPBEAR_BLOWFISH 0 +#endif + +/* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +#ifndef DROPBEAR_ENABLE_CBC_MODE +#define DROPBEAR_ENABLE_CBC_MODE 1 +#endif + +/* Enable "Counter Mode" for ciphers. This is more secure than + * CBC mode against certain attacks. It is recommended for security + * and forwards compatibility */ +#ifndef DROPBEAR_ENABLE_CTR_MODE +#define DROPBEAR_ENABLE_CTR_MODE 1 +#endif + +/* Enable "Galois/Counter Mode" for ciphers. This authenticated + * encryption mode is combination of CTR mode and GHASH. Recommended + * for security and forwards compatibility, but slower than CTR on + * CPU w/o dedicated AES/GHASH instructions. + * Compiling in will add ~6kB to binary size on x86-64 */ +#ifndef DROPBEAR_ENABLE_GCM_MODE +#define DROPBEAR_ENABLE_GCM_MODE 0 +#endif + +/* Enable Chacha20-Poly1305 authenticated encryption mode. This is + * generally faster than AES256 on CPU w/o dedicated AES instructions, + * having the same key size. + * Compiling in will add ~5,5kB to binary size on x86-64 */ +#ifndef DROPBEAR_CHACHA20POLY1305 +#define DROPBEAR_CHACHA20POLY1305 1 +#endif + +/* Message integrity. sha2-256 is recommended as a default, + sha1 for compatibility */ +#ifndef DROPBEAR_SHA1_HMAC +#define DROPBEAR_SHA1_HMAC 1 +#endif +#ifndef DROPBEAR_SHA1_96_HMAC +#define DROPBEAR_SHA1_96_HMAC 1 +#endif +#ifndef DROPBEAR_SHA2_256_HMAC +#define DROPBEAR_SHA2_256_HMAC 1 +#endif + +/* Hostkey/public key algorithms - at least one required, these are used + * for hostkey as well as for verifying signatures with pubkey auth. + * Removing either of these won't save very much space. + * RSA is recommended + * DSS may be necessary to connect to some systems though + is not recommended for new keys */ +#ifndef DROPBEAR_RSA +#define DROPBEAR_RSA 1 +#endif +#ifndef DROPBEAR_DSS +#define DROPBEAR_DSS 1 +#endif +/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ +#ifndef DROPBEAR_ECDSA +#define DROPBEAR_ECDSA 1 +#endif +/* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases + binary size - around 7,5kB on x86-64 */ +#ifndef DROPBEAR_ED25519 +#define DROPBEAR_ED25519 1 +#endif + +/* RSA must be >=1024 */ +#ifndef DROPBEAR_DEFAULT_RSA_SIZE +#define DROPBEAR_DEFAULT_RSA_SIZE 2048 +#endif +/* DSS is always 1024 */ +/* ECDSA defaults to largest size configured, usually 521 */ +/* Ed25519 is always 256 */ + +/* Add runtime flag "-R" to generate hostkeys as-needed when the first + connection using that key type occurs. + This avoids the need to otherwise run "dropbearkey" and avoids some problems + with badly seeded /dev/urandom when systems first boot. */ +#ifndef DROPBEAR_DELAY_HOSTKEY +#define DROPBEAR_DELAY_HOSTKEY 1 +#endif + + +/* Key exchange algorithm. + + * group14_sha1 - 2048 bit, sha1 + * group14_sha256 - 2048 bit, sha2-256 + * group16 - 4096 bit, sha2-512 + * group1 - 1024 bit, sha1 + * curve25519 - elliptic curve DH + * ecdh - NIST elliptic curve DH (256, 384, 521) + * + * group1 is too small for security though is necessary if you need + compatibility with some implementations such as Dropbear versions < 0.53 + * group14 is supported by most implementations. + * group16 provides a greater strength level but is slower and increases binary size + * curve25519 and ecdh algorithms are faster than non-elliptic curve methods + * curve25519 increases binary size by ~2,5kB on x86-64 + * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 + + * Small systems should generally include either curve25519 or ecdh for performance. + * curve25519 is less widely supported but is faster + */ +#ifndef DROPBEAR_DH_GROUP14_SHA1 +#define DROPBEAR_DH_GROUP14_SHA1 1 +#endif +#ifndef DROPBEAR_DH_GROUP14_SHA256 +#define DROPBEAR_DH_GROUP14_SHA256 1 +#endif +#ifndef DROPBEAR_DH_GROUP16 +#define DROPBEAR_DH_GROUP16 0 +#endif +#ifndef DROPBEAR_CURVE25519 +#define DROPBEAR_CURVE25519 1 +#endif +#ifndef DROPBEAR_ECDH +#define DROPBEAR_ECDH 1 +#endif +#ifndef DROPBEAR_DH_GROUP1 +#define DROPBEAR_DH_GROUP1 1 +#endif + +/* When group1 is enabled it will only be allowed by Dropbear client +not as a server, due to concerns over its strength. Set to 0 to allow +group1 in Dropbear server too */ +#ifndef DROPBEAR_DH_GROUP1_CLIENTONLY +#define DROPBEAR_DH_GROUP1_CLIENTONLY 1 +#endif + +/* Control the memory/performance/compression tradeoff for zlib. + * Set windowBits=8 for least memory usage, see your system's + * zlib.h for full details. + * Default settings (windowBits=15) will use 256kB for compression + * windowBits=8 will use 129kB for compression. + * Both modes will use ~35kB for decompression (using windowBits=15 for + * interoperability) */ +#ifndef DROPBEAR_ZLIB_WINDOW_BITS +#define DROPBEAR_ZLIB_WINDOW_BITS 15 +#endif + +/* Whether to do reverse DNS lookups. */ +#ifndef DO_HOST_LOOKUP +#define DO_HOST_LOOKUP 0 +#endif + +/* Whether to print the message of the day (MOTD). */ +#ifndef DO_MOTD +#define DO_MOTD 1 +#endif +#ifndef MOTD_FILENAME +#define MOTD_FILENAME "/etc/motd" +#endif + +/* Authentication Types - at least one required. + RFC Draft requires pubkey auth, and recommends password */ +#ifndef DROPBEAR_SVR_PASSWORD_AUTH +#define DROPBEAR_SVR_PASSWORD_AUTH 1 +#endif + +/* Note: PAM auth is quite simple and only works for PAM modules which just do + * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). + * It's useful for systems like OS X where standard password crypts don't work + * but there's an interface via a PAM module. It won't work for more complex + * PAM challenge/response. + * You can't enable both PASSWORD and PAM. */ +#ifndef DROPBEAR_SVR_PAM_AUTH +#define DROPBEAR_SVR_PAM_AUTH 0 +#endif + +/* ~/.ssh/authorized_keys authentication */ +#ifndef DROPBEAR_SVR_PUBKEY_AUTH +#define DROPBEAR_SVR_PUBKEY_AUTH 1 +#endif + +/* Whether to take public key options in + * authorized_keys file into account */ +#ifndef DROPBEAR_SVR_PUBKEY_OPTIONS +#define DROPBEAR_SVR_PUBKEY_OPTIONS 1 +#endif + +/* Set this to 0 if your system does not have multiple user support. + (Linux kernel CONFIG_MULTIUSER option) + The resulting binary will not run on a normal system. */ +#ifndef DROPBEAR_SVR_MULTIUSER +#define DROPBEAR_SVR_MULTIUSER 1 +#endif + +/* Client authentication options */ +#ifndef DROPBEAR_CLI_PASSWORD_AUTH +#define DROPBEAR_CLI_PASSWORD_AUTH 1 +#endif +#ifndef DROPBEAR_CLI_PUBKEY_AUTH +#define DROPBEAR_CLI_PUBKEY_AUTH 1 +#endif + +/* A default argument for dbclient -i . +Homedir is prepended unless path begins with / */ +#ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY +#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" +#endif + +/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD + * environment variable. */ +#ifndef DROPBEAR_USE_PASSWORD_ENV +#define DROPBEAR_USE_PASSWORD_ENV 1 +#endif + +/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be + * specified in the SSH_ASKPASS environment variable, and dbclient + * should be run with DISPLAY set and no tty. The program should + * return the password on standard output */ +#ifndef DROPBEAR_CLI_ASKPASS_HELPER +#define DROPBEAR_CLI_ASKPASS_HELPER 0 +#endif + +/* Save a network roundtrip by sendng a real auth request immediately after + * sending a query for the available methods. This is not yet enabled by default + since it could cause problems with non-compliant servers */ +#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH +#define DROPBEAR_CLI_IMMEDIATE_AUTH 0 +#endif + +/* Set this to use PRNGD or EGD instead of /dev/urandom */ +#ifndef DROPBEAR_USE_PRNGD +#define DROPBEAR_USE_PRNGD 0 +#endif +#ifndef DROPBEAR_PRNGD_SOCKET +#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" +#endif + +/* Specify the number of clients we will allow to be connected but + * not yet authenticated. After this limit, connections are rejected */ +/* The first setting is per-IP, to avoid denial of service */ +#ifndef MAX_UNAUTH_PER_IP +#define MAX_UNAUTH_PER_IP 5 +#endif + +/* And then a global limit to avoid chewing memory if connections + * come from many IPs */ +#ifndef MAX_UNAUTH_CLIENTS +#define MAX_UNAUTH_CLIENTS 30 +#endif + +/* Default maximum number of failed authentication tries (server option) */ +/* -T server option overrides */ +#ifndef MAX_AUTH_TRIES +#define MAX_AUTH_TRIES 10 +#endif + +/* The default file to store the daemon's process ID, for shutdown + scripts etc. This can be overridden with the -P flag */ +#ifndef DROPBEAR_PIDFILE +#define DROPBEAR_PIDFILE "/var/run/dropbear.pid" +#endif + +/* The command to invoke for xauth when using X11 forwarding. + * "-q" for quiet */ +#ifndef XAUTH_COMMAND +#define XAUTH_COMMAND "/usr/bin/xauth -q" +#endif + + +/* if you want to enable running an sftp server (such as the one included with + * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. + * The sftp-server program is not provided by Dropbear itself */ +#ifndef DROPBEAR_SFTPSERVER +#define DROPBEAR_SFTPSERVER 1 +#endif +#ifndef SFTPSERVER_PATH +#define SFTPSERVER_PATH "/usr/libexec/sftp-server" +#endif + +/* This is used by the scp binary when used as a client binary. If you're + * not using the Dropbear client, you'll need to change it */ +#ifndef DROPBEAR_PATH_SSH_PROGRAM +#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" +#endif + +/* Whether to log commands executed by a client. This only logs the + * (single) command sent to the server, not what a user did in a + * shell/sftp session etc. */ +#ifndef LOG_COMMANDS +#define LOG_COMMANDS 0 +#endif + +/* Window size limits. These tend to be a trade-off between memory + usage and network performance: */ +/* Size of the network receive window. This amount of memory is allocated + as a per-channel receive buffer. Increasing this value can make a + significant difference to network performance. 24kB was empirically + chosen for a 100mbit ethernet network. The value can be altered at + runtime with the -W argument. */ +#ifndef DEFAULT_RECV_WINDOW +#define DEFAULT_RECV_WINDOW 24576 +#endif +/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768 + in order to interoperate with other implementations */ +#ifndef RECV_MAX_PAYLOAD_LEN +#define RECV_MAX_PAYLOAD_LEN 32768 +#endif +/* Maximum size of a transmitted data packet - this can be any value, + though increasing it may not make a significant difference. */ +#ifndef TRANS_MAX_PAYLOAD_LEN +#define TRANS_MAX_PAYLOAD_LEN 16384 +#endif + +/* Ensure that data is transmitted every KEEPALIVE seconds. This can +be overridden at runtime with -K. 0 disables keepalives */ +#ifndef DEFAULT_KEEPALIVE +#define DEFAULT_KEEPALIVE 0 +#endif + +/* Enable TCP socket level keep alive probes after this many seconds. This can +be overridden at runtime with -k. 0 disables TCP keepalives. +A negative value starts them ony after a the system defined default time elapsed + OR, if SSH KEEPALIVE != 0, SSH KEEPALIVE * KEEPALIVE_LIMIT seconds */ +#ifndef DEFAULT_TCP_ALIVE +#define DEFAULT_TCP_ALIVE 0 +#endif + +/* If this many KEEPALIVES are sent with no packets received from the +other side, exit. Not run-time configurable - if you have a need +for runtime configuration please mail the Dropbear list */ +#ifndef DEFAULT_KEEPALIVE_LIMIT +#define DEFAULT_KEEPALIVE_LIMIT 3 +#endif + +/* Ensure that data is received within IDLE_TIMEOUT seconds. This can +be overridden at runtime with -I. 0 disables idle timeouts */ +#ifndef DEFAULT_IDLE_TIMEOUT +#define DEFAULT_IDLE_TIMEOUT 0 +#endif + +/* The default path. This will often get replaced by the shell */ +#ifndef DEFAULT_PATH +#define DEFAULT_PATH "/usr/bin:/bin" +#endif + +#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ From e0dc1d6e3f154a6c95714c9c787460e880a2c1f7 Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Sat, 30 May 2020 14:08:24 -0700 Subject: [PATCH 6/7] Added DEFAULT_TCP_ALIVE --- default_options_guard.h | 490 ---------------------------------------- 1 file changed, 490 deletions(-) delete mode 100644 default_options_guard.h diff --git a/default_options_guard.h b/default_options_guard.h deleted file mode 100644 index 7016c0a0c..000000000 --- a/default_options_guard.h +++ /dev/null @@ -1,490 +0,0 @@ -/* - > > > Do not edit this file (default_options_guard.h) < < < -Generated from default_options.h -Local customisation goes in localoptions.h -*/ - -#ifndef DROPBEAR_DEFAULT_OPTIONS_H_ -#define DROPBEAR_DEFAULT_OPTIONS_H_ -/* - > > > Read This < < < - -default_options.h documents compile-time options, and provides default values. - -Local customisation should be added to localoptions.h which is -used if it exists in the build directory. Options defined there will override -any options in this file. - -Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS - -IMPORTANT: Some options will require "make clean" after changes */ - -#ifndef DROPBEAR_DEFPORT -#define DROPBEAR_DEFPORT "22" -#endif - -/* Listen on all interfaces */ -#ifndef DROPBEAR_DEFADDRESS -#define DROPBEAR_DEFADDRESS "" -#endif - -/* Default hostkey paths - these can be specified on the command line */ -#ifndef DSS_PRIV_FILENAME -#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" -#endif -#ifndef RSA_PRIV_FILENAME -#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" -#endif -#ifndef ECDSA_PRIV_FILENAME -#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" -#endif -#ifndef ED25519_PRIV_FILENAME -#define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key" -#endif - -/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens - * on chosen ports and keeps accepting connections. This is the default. - * - * Set INETD_MODE if you want to be able to run Dropbear with inetd (or - * similar), where it will use stdin/stdout for connections, and each process - * lasts for a single connection. Dropbear should be invoked with the -i flag - * for inetd, and can only accept IPv4 connections. - * - * Both of these flags can be defined at once, don't compile without at least - * one of them. */ -#ifndef NON_INETD_MODE -#define NON_INETD_MODE 1 -#endif -#ifndef INETD_MODE -#define INETD_MODE 1 -#endif - -/* Include verbose debug output, enabled with -v at runtime. - * This will add a reasonable amount to your executable size. */ -#ifndef DEBUG_TRACE -#define DEBUG_TRACE 0 -#endif - -/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save - * several kB in binary size however will make the symmetrical ciphers and hashes - * slower, perhaps by 50%. Recommended for small systems that aren't doing - * much traffic. */ -#ifndef DROPBEAR_SMALL_CODE -#define DROPBEAR_SMALL_CODE 1 -#endif - -/* Enable X11 Forwarding - server only */ -#ifndef DROPBEAR_X11FWD -#define DROPBEAR_X11FWD 1 -#endif - -/* Enable TCP Fowarding */ -/* 'Local' is "-L" style (client listening port forwarded via server) - * 'Remote' is "-R" style (server listening port forwarded via client) */ -#ifndef DROPBEAR_CLI_LOCALTCPFWD -#define DROPBEAR_CLI_LOCALTCPFWD 1 -#endif -#ifndef DROPBEAR_CLI_REMOTETCPFWD -#define DROPBEAR_CLI_REMOTETCPFWD 1 -#endif - -#ifndef DROPBEAR_SVR_LOCALTCPFWD -#define DROPBEAR_SVR_LOCALTCPFWD 1 -#endif -#ifndef DROPBEAR_SVR_REMOTETCPFWD -#define DROPBEAR_SVR_REMOTETCPFWD 1 -#endif - -/* Enable Authentication Agent Forwarding */ -#ifndef DROPBEAR_SVR_AGENTFWD -#define DROPBEAR_SVR_AGENTFWD 1 -#endif -#ifndef DROPBEAR_CLI_AGENTFWD -#define DROPBEAR_CLI_AGENTFWD 1 -#endif - -/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to - * allow multihop dbclient connections */ - -/* Allow using -J to run the connection through a - pipe to a program, rather the normal TCP connection */ -#ifndef DROPBEAR_CLI_PROXYCMD -#define DROPBEAR_CLI_PROXYCMD 1 -#endif - -/* Enable "Netcat mode" option. This will forward standard input/output - * to a remote TCP-forwarded connection */ -#ifndef DROPBEAR_CLI_NETCAT -#define DROPBEAR_CLI_NETCAT 1 -#endif - -/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ -#ifndef DROPBEAR_USER_ALGO_LIST -#define DROPBEAR_USER_ALGO_LIST 1 -#endif - -/* Encryption - at least one required. - * AES128 should be enabled, some very old implementations might only - * support 3DES. - * Including both AES keysize variants (128 and 256) will result in - * a minimal size increase */ -#ifndef DROPBEAR_AES128 -#define DROPBEAR_AES128 1 -#endif -#ifndef DROPBEAR_3DES -#define DROPBEAR_3DES 1 -#endif -#ifndef DROPBEAR_AES256 -#define DROPBEAR_AES256 1 -#endif -#ifndef DROPBEAR_TWOFISH256 -#define DROPBEAR_TWOFISH256 0 -#endif -#ifndef DROPBEAR_TWOFISH128 -#define DROPBEAR_TWOFISH128 0 -#endif -/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ -#ifndef DROPBEAR_BLOWFISH -#define DROPBEAR_BLOWFISH 0 -#endif - -/* Enable CBC mode for ciphers. This has security issues though - * is the most compatible with older SSH implementations */ -#ifndef DROPBEAR_ENABLE_CBC_MODE -#define DROPBEAR_ENABLE_CBC_MODE 1 -#endif - -/* Enable "Counter Mode" for ciphers. This is more secure than - * CBC mode against certain attacks. It is recommended for security - * and forwards compatibility */ -#ifndef DROPBEAR_ENABLE_CTR_MODE -#define DROPBEAR_ENABLE_CTR_MODE 1 -#endif - -/* Enable "Galois/Counter Mode" for ciphers. This authenticated - * encryption mode is combination of CTR mode and GHASH. Recommended - * for security and forwards compatibility, but slower than CTR on - * CPU w/o dedicated AES/GHASH instructions. - * Compiling in will add ~6kB to binary size on x86-64 */ -#ifndef DROPBEAR_ENABLE_GCM_MODE -#define DROPBEAR_ENABLE_GCM_MODE 0 -#endif - -/* Enable Chacha20-Poly1305 authenticated encryption mode. This is - * generally faster than AES256 on CPU w/o dedicated AES instructions, - * having the same key size. - * Compiling in will add ~5,5kB to binary size on x86-64 */ -#ifndef DROPBEAR_CHACHA20POLY1305 -#define DROPBEAR_CHACHA20POLY1305 1 -#endif - -/* Message integrity. sha2-256 is recommended as a default, - sha1 for compatibility */ -#ifndef DROPBEAR_SHA1_HMAC -#define DROPBEAR_SHA1_HMAC 1 -#endif -#ifndef DROPBEAR_SHA1_96_HMAC -#define DROPBEAR_SHA1_96_HMAC 1 -#endif -#ifndef DROPBEAR_SHA2_256_HMAC -#define DROPBEAR_SHA2_256_HMAC 1 -#endif - -/* Hostkey/public key algorithms - at least one required, these are used - * for hostkey as well as for verifying signatures with pubkey auth. - * Removing either of these won't save very much space. - * RSA is recommended - * DSS may be necessary to connect to some systems though - is not recommended for new keys */ -#ifndef DROPBEAR_RSA -#define DROPBEAR_RSA 1 -#endif -#ifndef DROPBEAR_DSS -#define DROPBEAR_DSS 1 -#endif -/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC - * code (either ECDSA or ECDH) increases binary size - around 30kB - * on x86-64 */ -#ifndef DROPBEAR_ECDSA -#define DROPBEAR_ECDSA 1 -#endif -/* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases - binary size - around 7,5kB on x86-64 */ -#ifndef DROPBEAR_ED25519 -#define DROPBEAR_ED25519 1 -#endif - -/* RSA must be >=1024 */ -#ifndef DROPBEAR_DEFAULT_RSA_SIZE -#define DROPBEAR_DEFAULT_RSA_SIZE 2048 -#endif -/* DSS is always 1024 */ -/* ECDSA defaults to largest size configured, usually 521 */ -/* Ed25519 is always 256 */ - -/* Add runtime flag "-R" to generate hostkeys as-needed when the first - connection using that key type occurs. - This avoids the need to otherwise run "dropbearkey" and avoids some problems - with badly seeded /dev/urandom when systems first boot. */ -#ifndef DROPBEAR_DELAY_HOSTKEY -#define DROPBEAR_DELAY_HOSTKEY 1 -#endif - - -/* Key exchange algorithm. - - * group14_sha1 - 2048 bit, sha1 - * group14_sha256 - 2048 bit, sha2-256 - * group16 - 4096 bit, sha2-512 - * group1 - 1024 bit, sha1 - * curve25519 - elliptic curve DH - * ecdh - NIST elliptic curve DH (256, 384, 521) - * - * group1 is too small for security though is necessary if you need - compatibility with some implementations such as Dropbear versions < 0.53 - * group14 is supported by most implementations. - * group16 provides a greater strength level but is slower and increases binary size - * curve25519 and ecdh algorithms are faster than non-elliptic curve methods - * curve25519 increases binary size by ~2,5kB on x86-64 - * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 - - * Small systems should generally include either curve25519 or ecdh for performance. - * curve25519 is less widely supported but is faster - */ -#ifndef DROPBEAR_DH_GROUP14_SHA1 -#define DROPBEAR_DH_GROUP14_SHA1 1 -#endif -#ifndef DROPBEAR_DH_GROUP14_SHA256 -#define DROPBEAR_DH_GROUP14_SHA256 1 -#endif -#ifndef DROPBEAR_DH_GROUP16 -#define DROPBEAR_DH_GROUP16 0 -#endif -#ifndef DROPBEAR_CURVE25519 -#define DROPBEAR_CURVE25519 1 -#endif -#ifndef DROPBEAR_ECDH -#define DROPBEAR_ECDH 1 -#endif -#ifndef DROPBEAR_DH_GROUP1 -#define DROPBEAR_DH_GROUP1 1 -#endif - -/* When group1 is enabled it will only be allowed by Dropbear client -not as a server, due to concerns over its strength. Set to 0 to allow -group1 in Dropbear server too */ -#ifndef DROPBEAR_DH_GROUP1_CLIENTONLY -#define DROPBEAR_DH_GROUP1_CLIENTONLY 1 -#endif - -/* Control the memory/performance/compression tradeoff for zlib. - * Set windowBits=8 for least memory usage, see your system's - * zlib.h for full details. - * Default settings (windowBits=15) will use 256kB for compression - * windowBits=8 will use 129kB for compression. - * Both modes will use ~35kB for decompression (using windowBits=15 for - * interoperability) */ -#ifndef DROPBEAR_ZLIB_WINDOW_BITS -#define DROPBEAR_ZLIB_WINDOW_BITS 15 -#endif - -/* Whether to do reverse DNS lookups. */ -#ifndef DO_HOST_LOOKUP -#define DO_HOST_LOOKUP 0 -#endif - -/* Whether to print the message of the day (MOTD). */ -#ifndef DO_MOTD -#define DO_MOTD 1 -#endif -#ifndef MOTD_FILENAME -#define MOTD_FILENAME "/etc/motd" -#endif - -/* Authentication Types - at least one required. - RFC Draft requires pubkey auth, and recommends password */ -#ifndef DROPBEAR_SVR_PASSWORD_AUTH -#define DROPBEAR_SVR_PASSWORD_AUTH 1 -#endif - -/* Note: PAM auth is quite simple and only works for PAM modules which just do - * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). - * It's useful for systems like OS X where standard password crypts don't work - * but there's an interface via a PAM module. It won't work for more complex - * PAM challenge/response. - * You can't enable both PASSWORD and PAM. */ -#ifndef DROPBEAR_SVR_PAM_AUTH -#define DROPBEAR_SVR_PAM_AUTH 0 -#endif - -/* ~/.ssh/authorized_keys authentication */ -#ifndef DROPBEAR_SVR_PUBKEY_AUTH -#define DROPBEAR_SVR_PUBKEY_AUTH 1 -#endif - -/* Whether to take public key options in - * authorized_keys file into account */ -#ifndef DROPBEAR_SVR_PUBKEY_OPTIONS -#define DROPBEAR_SVR_PUBKEY_OPTIONS 1 -#endif - -/* Set this to 0 if your system does not have multiple user support. - (Linux kernel CONFIG_MULTIUSER option) - The resulting binary will not run on a normal system. */ -#ifndef DROPBEAR_SVR_MULTIUSER -#define DROPBEAR_SVR_MULTIUSER 1 -#endif - -/* Client authentication options */ -#ifndef DROPBEAR_CLI_PASSWORD_AUTH -#define DROPBEAR_CLI_PASSWORD_AUTH 1 -#endif -#ifndef DROPBEAR_CLI_PUBKEY_AUTH -#define DROPBEAR_CLI_PUBKEY_AUTH 1 -#endif - -/* A default argument for dbclient -i . -Homedir is prepended unless path begins with / */ -#ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY -#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" -#endif - -/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD - * environment variable. */ -#ifndef DROPBEAR_USE_PASSWORD_ENV -#define DROPBEAR_USE_PASSWORD_ENV 1 -#endif - -/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of - * a helper program for the ssh client. The helper program should be - * specified in the SSH_ASKPASS environment variable, and dbclient - * should be run with DISPLAY set and no tty. The program should - * return the password on standard output */ -#ifndef DROPBEAR_CLI_ASKPASS_HELPER -#define DROPBEAR_CLI_ASKPASS_HELPER 0 -#endif - -/* Save a network roundtrip by sendng a real auth request immediately after - * sending a query for the available methods. This is not yet enabled by default - since it could cause problems with non-compliant servers */ -#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH -#define DROPBEAR_CLI_IMMEDIATE_AUTH 0 -#endif - -/* Set this to use PRNGD or EGD instead of /dev/urandom */ -#ifndef DROPBEAR_USE_PRNGD -#define DROPBEAR_USE_PRNGD 0 -#endif -#ifndef DROPBEAR_PRNGD_SOCKET -#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" -#endif - -/* Specify the number of clients we will allow to be connected but - * not yet authenticated. After this limit, connections are rejected */ -/* The first setting is per-IP, to avoid denial of service */ -#ifndef MAX_UNAUTH_PER_IP -#define MAX_UNAUTH_PER_IP 5 -#endif - -/* And then a global limit to avoid chewing memory if connections - * come from many IPs */ -#ifndef MAX_UNAUTH_CLIENTS -#define MAX_UNAUTH_CLIENTS 30 -#endif - -/* Default maximum number of failed authentication tries (server option) */ -/* -T server option overrides */ -#ifndef MAX_AUTH_TRIES -#define MAX_AUTH_TRIES 10 -#endif - -/* The default file to store the daemon's process ID, for shutdown - scripts etc. This can be overridden with the -P flag */ -#ifndef DROPBEAR_PIDFILE -#define DROPBEAR_PIDFILE "/var/run/dropbear.pid" -#endif - -/* The command to invoke for xauth when using X11 forwarding. - * "-q" for quiet */ -#ifndef XAUTH_COMMAND -#define XAUTH_COMMAND "/usr/bin/xauth -q" -#endif - - -/* if you want to enable running an sftp server (such as the one included with - * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. - * The sftp-server program is not provided by Dropbear itself */ -#ifndef DROPBEAR_SFTPSERVER -#define DROPBEAR_SFTPSERVER 1 -#endif -#ifndef SFTPSERVER_PATH -#define SFTPSERVER_PATH "/usr/libexec/sftp-server" -#endif - -/* This is used by the scp binary when used as a client binary. If you're - * not using the Dropbear client, you'll need to change it */ -#ifndef DROPBEAR_PATH_SSH_PROGRAM -#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" -#endif - -/* Whether to log commands executed by a client. This only logs the - * (single) command sent to the server, not what a user did in a - * shell/sftp session etc. */ -#ifndef LOG_COMMANDS -#define LOG_COMMANDS 0 -#endif - -/* Window size limits. These tend to be a trade-off between memory - usage and network performance: */ -/* Size of the network receive window. This amount of memory is allocated - as a per-channel receive buffer. Increasing this value can make a - significant difference to network performance. 24kB was empirically - chosen for a 100mbit ethernet network. The value can be altered at - runtime with the -W argument. */ -#ifndef DEFAULT_RECV_WINDOW -#define DEFAULT_RECV_WINDOW 24576 -#endif -/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768 - in order to interoperate with other implementations */ -#ifndef RECV_MAX_PAYLOAD_LEN -#define RECV_MAX_PAYLOAD_LEN 32768 -#endif -/* Maximum size of a transmitted data packet - this can be any value, - though increasing it may not make a significant difference. */ -#ifndef TRANS_MAX_PAYLOAD_LEN -#define TRANS_MAX_PAYLOAD_LEN 16384 -#endif - -/* Ensure that data is transmitted every KEEPALIVE seconds. This can -be overridden at runtime with -K. 0 disables keepalives */ -#ifndef DEFAULT_KEEPALIVE -#define DEFAULT_KEEPALIVE 0 -#endif - -/* Enable TCP socket level keep alive probes after this many seconds. This can -be overridden at runtime with -k. 0 disables TCP keepalives. -A negative value starts them ony after a the system defined default time elapsed - OR, if SSH KEEPALIVE != 0, SSH KEEPALIVE * KEEPALIVE_LIMIT seconds */ -#ifndef DEFAULT_TCP_ALIVE -#define DEFAULT_TCP_ALIVE 0 -#endif - -/* If this many KEEPALIVES are sent with no packets received from the -other side, exit. Not run-time configurable - if you have a need -for runtime configuration please mail the Dropbear list */ -#ifndef DEFAULT_KEEPALIVE_LIMIT -#define DEFAULT_KEEPALIVE_LIMIT 3 -#endif - -/* Ensure that data is received within IDLE_TIMEOUT seconds. This can -be overridden at runtime with -I. 0 disables idle timeouts */ -#ifndef DEFAULT_IDLE_TIMEOUT -#define DEFAULT_IDLE_TIMEOUT 0 -#endif - -/* The default path. This will often get replaced by the shell */ -#ifndef DEFAULT_PATH -#define DEFAULT_PATH "/usr/bin:/bin" -#endif - -#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ From 0f0261479f69811a7bda0b2b2a5635cd29d14458 Mon Sep 17 00:00:00 2001 From: Brent Roman Date: Sat, 30 May 2020 14:21:28 -0700 Subject: [PATCH 7/7] added DEFAULT_TCP_ALIVE --- default_options.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/default_options.h b/default_options.h index 2ca01b3ae..3f871e1bd 100644 --- a/default_options.h +++ b/default_options.h @@ -308,6 +308,12 @@ other side, exit. Not run-time configurable - if you have a need for runtime configuration please mail the Dropbear list */ #define DEFAULT_KEEPALIVE_LIMIT 3 +/* Enable TCP socket level keep alive probes after this many seconds. This can +be overridden at runtime with -k. 0 disables TCP keepalives. +A negative value starts them ony after a the system defined default time elapsed + OR, if SSH KEEPALIVE != 0, SSH KEEPALIVE * KEEPALIVE_LIMIT seconds */ +#define DEFAULT_TCP_ALIVE 0 + /* Ensure that data is received within IDLE_TIMEOUT seconds. This can be overridden at runtime with -I. 0 disables idle timeouts */ #define DEFAULT_IDLE_TIMEOUT 0