From d196b1fc2eddf7cbab4351452b6fc9b41f15b142 Mon Sep 17 00:00:00 2001
From: Steven Barth <cyrus@openwrt.org>
Date: Mon, 7 Sep 2015 19:29:25 +0000
Subject: [PATCH] Disable telnet in favor of passwordless SSH

This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46809
---
 package/base-files/files/bin/login.sh         |  3 +-
 .../files/lib/preinit/99_10_failsafe_login    |  5 ++-
 package/network/services/dropbear/Makefile    |  2 +-
 .../patches/120-openwrt_options.patch         | 11 ++++++
 .../600-allow-blank-root-password.patch       | 11 ++++++
 ...610-skip-default-keys-in-custom-runs.patch | 18 +++++++++
 package/utils/busybox/Config-defaults.in      |  8 ++--
 package/utils/busybox/Makefile                |  1 -
 package/utils/busybox/files/telnet            | 38 -------------------
 9 files changed, 49 insertions(+), 48 deletions(-)
 create mode 100644 package/network/services/dropbear/patches/600-allow-blank-root-password.patch
 create mode 100644 package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
 delete mode 100755 package/utils/busybox/files/telnet

diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh
index 25627b66b29..754d2908576 100755
--- a/package/base-files/files/bin/login.sh
+++ b/package/base-files/files/bin/login.sh
@@ -10,8 +10,7 @@ then
 else
 cat << EOF
  === IMPORTANT ============================
-  Use 'passwd' to set your login password
-  this will disable telnet and enable SSH
+  Use 'passwd' to set your login password!
  ------------------------------------------
 EOF
 fi
diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login
index 15dcbd884f1..b12e31702ab 100644
--- a/package/base-files/files/lib/preinit/99_10_failsafe_login
+++ b/package/base-files/files/lib/preinit/99_10_failsafe_login
@@ -1,9 +1,10 @@
 #!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 # Copyright (C) 2010 Vertical Communications
 
 failsafe_netlogin () {
-	telnetd -l /bin/login.sh <> /dev/null 2>&1
+	dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
 }
 
 failsafe_shell() {
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8988e0db125..f140f36dccc 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index f3931b0cccb..805a0964abc 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,6 +18,17 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
 @@ -131,9 +131,9 @@ If you test it please contact the Dropbe
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644
index 00000000000..7c67b086bba
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& svr_opts.allowblankpass
++				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ 				&& !svr_opts.noauthpass
+ 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+ 				&& ses.authstate.pw_passwd[0] == '\0') 
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644
index 00000000000..ee6d273344a
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+ 		m_free(hostkey_file);
+ 	}
+ 
++	if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+ 	loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+ 	loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++	}
+ 
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+ 	if (svr_opts.delay_hostkey) {
diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in
index 7b4cd99a5db..d961bfaaeeb 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
 	default n
 config BUSYBOX_DEFAULT_TELNET
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
 	bool
 	default n
 config BUSYBOX_DEFAULT_TELNETD
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
 	bool
 	default n
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 9571d48bec2..a65f44f8fe0 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -110,7 +110,6 @@ define Package/busybox/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(CP) $(PKG_INSTALL_DIR)/* $(1)/
 	$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
-	$(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
 	$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
 	$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
 	-rm -rf $(1)/lib64
diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755
index a1d1cdf9b18..00000000000
--- a/package/utils/busybox/files/telnet
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
-	local pwd=$([ -f "$1" ] && cat "$1")
-	      pwd="${pwd#*root:}"
-	      pwd="${pwd%%:*}"
-
-	test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
-	local homedir=$([ -f "$1" ] && cat "$1")
-	homedir="${homedir#*:*:0:0:*:}"
-
-	echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
-	( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
-	( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
-	if ( ! has_ssh_pubkey && \
-	     ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
-	   ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
-	then
-		procd_open_instance
-		procd_set_param command "$PROG" -F -l /bin/login.sh
-		procd_close_instance
-	fi
-}
-- 
GitLab