* [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected
@ 2018-06-28 20:19 Carlos Santos
2018-06-29 4:36 ` Baruch Siach
0 siblings, 1 reply; 7+ messages in thread
From: Carlos Santos @ 2018-06-28 20:19 UTC (permalink / raw)
To: buildroot
- Disable password file athentication, since it's not possible to have
both at once.
- Install a /etc/pam.d/sshd file, based on the ofe from from openssh.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
package/dropbear/dropbear.mk | 14 ++++++++++++++
package/dropbear/etc-pam.d-sshd | 7 +++++++
2 files changed, 21 insertions(+)
create mode 100644 package/dropbear/etc-pam.d-sshd
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
DROPBEAR_CONF_OPTS += --disable-static
endif
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+ echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_SVR_PAM_AUTH 1' >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+ $(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
# Ensure that dropbear doesn't use crypt() when it's not available
define DROPBEAR_SVR_PASSWORD_AUTH
echo '#if !HAVE_CRYPT' >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
echo '#endif' >> $(@D)/localoptions.h
endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth required pam_unix.so shadow nodelay
+account required pam_nologin.so
+account required pam_unix.so
+password required pam_unix.so shadow nullok use_authtok
+session required pam_unix.so
+session required pam_limits.so
--
2.14.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected
2018-06-28 20:19 [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected Carlos Santos
@ 2018-06-29 4:36 ` Baruch Siach
2018-06-29 10:58 ` [Buildroot] [PATCH v2] " Carlos Santos
0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2018-06-29 4:36 UTC (permalink / raw)
To: buildroot
Hi Carlos,
On Thu, Jun 28, 2018 at 05:19:44PM -0300, Carlos Santos wrote:
> - Disable password file athentication, since it's not possible to have
> both at once.
> - Install a /etc/pam.d/sshd file, based on the ofe from from openssh.
Something went wrong in this sentence.
> Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: enable PAM athentication if linux-pam is selected
2018-06-29 4:36 ` Baruch Siach
@ 2018-06-29 10:58 ` Carlos Santos
2018-06-29 11:50 ` Baruch Siach
0 siblings, 1 reply; 7+ messages in thread
From: Carlos Santos @ 2018-06-29 10:58 UTC (permalink / raw)
To: buildroot
- Disable password file athentication, since it's not possible to have
both at once.
- Install a /etc/pam.d/sshd file, based on the one installed by openssh.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
Changes v1->v2:
- Fix commit message.
---
package/dropbear/dropbear.mk | 14 ++++++++++++++
package/dropbear/etc-pam.d-sshd | 7 +++++++
2 files changed, 21 insertions(+)
create mode 100644 package/dropbear/etc-pam.d-sshd
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
DROPBEAR_CONF_OPTS += --disable-static
endif
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+ echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_SVR_PAM_AUTH 1' >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+ $(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
# Ensure that dropbear doesn't use crypt() when it's not available
define DROPBEAR_SVR_PASSWORD_AUTH
echo '#if !HAVE_CRYPT' >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
echo '#endif' >> $(@D)/localoptions.h
endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth required pam_unix.so shadow nodelay
+account required pam_nologin.so
+account required pam_unix.so
+password required pam_unix.so shadow nullok use_authtok
+session required pam_unix.so
+session required pam_limits.so
--
2.14.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: enable PAM athentication if linux-pam is selected
2018-06-29 10:58 ` [Buildroot] [PATCH v2] " Carlos Santos
@ 2018-06-29 11:50 ` Baruch Siach
2018-06-29 12:21 ` [Buildroot] [PATCH v3] dropbear: enable PAM authentication " Carlos Santos
0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2018-06-29 11:50 UTC (permalink / raw)
To: buildroot
Hi Carlos,
On Fri, Jun 29, 2018 at 07:58:18AM -0300, Carlos Santos wrote:
> - Disable password file athentication, since it's not possible to have
> both at once.
> - Install a /etc/pam.d/sshd file, based on the one installed by openssh.
>
> Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Please keep the review tag in subsequent patch submissions.
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v3] dropbear: enable PAM authentication if linux-pam is selected
2018-06-29 11:50 ` Baruch Siach
@ 2018-06-29 12:21 ` Carlos Santos
2018-06-30 16:32 ` Thomas Petazzoni
0 siblings, 1 reply; 7+ messages in thread
From: Carlos Santos @ 2018-06-29 12:21 UTC (permalink / raw)
To: buildroot
- Disable password file authentication, since it's not possible to have
both at once.
- Install a /etc/pam.d/sshd file, based on the one installed by openssh.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
---
Changes v1->v2:
- Fix commit message.
Changes v2->v3:
- athentication -> authentication (gah!)
---
Change-Id: Ic62953e03b598bceb6374eb40436f908ab5d07ee
---
package/dropbear/dropbear.mk | 14 ++++++++++++++
package/dropbear/etc-pam.d-sshd | 7 +++++++
2 files changed, 21 insertions(+)
create mode 100644 package/dropbear/etc-pam.d-sshd
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
DROPBEAR_CONF_OPTS += --disable-static
endif
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+ echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_SVR_PAM_AUTH 1' >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+ $(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
# Ensure that dropbear doesn't use crypt() when it's not available
define DROPBEAR_SVR_PASSWORD_AUTH
echo '#if !HAVE_CRYPT' >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
echo '#endif' >> $(@D)/localoptions.h
endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth required pam_unix.so shadow nodelay
+account required pam_nologin.so
+account required pam_unix.so
+password required pam_unix.so shadow nullok use_authtok
+session required pam_unix.so
+session required pam_limits.so
--
2.14.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v3] dropbear: enable PAM authentication if linux-pam is selected
2018-06-29 12:21 ` [Buildroot] [PATCH v3] dropbear: enable PAM authentication " Carlos Santos
@ 2018-06-30 16:32 ` Thomas Petazzoni
2018-06-30 20:39 ` Thomas Petazzoni
0 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2018-06-30 16:32 UTC (permalink / raw)
To: buildroot
Hello,
On Fri, 29 Jun 2018 09:21:09 -0300, Carlos Santos wrote:
> - Disable password file authentication, since it's not possible to have
> both at once.
> - Install a /etc/pam.d/sshd file, based on the one installed by openssh.
>
> Signed-off-by: Carlos Santos <casantos@datacom.com.br>
> Reviewed-by: Baruch Siach <baruch@tkos.co.il>
> ---
> Changes v1->v2:
> - Fix commit message.
> Changes v2->v3:
> - athentication -> authentication (gah!)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v3] dropbear: enable PAM authentication if linux-pam is selected
2018-06-30 16:32 ` Thomas Petazzoni
@ 2018-06-30 20:39 ` Thomas Petazzoni
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2018-06-30 20:39 UTC (permalink / raw)
To: buildroot
Carlos, Baruch,
On Sat, 30 Jun 2018 18:32:26 +0200, Thomas Petazzoni wrote:
> On Fri, 29 Jun 2018 09:21:09 -0300, Carlos Santos wrote:
> > - Disable password file authentication, since it's not possible to have
> > both at once.
> > - Install a /etc/pam.d/sshd file, based on the one installed by openssh.
> >
> > Signed-off-by: Carlos Santos <casantos@datacom.com.br>
> > Reviewed-by: Baruch Siach <baruch@tkos.co.il>
> > ---
> > Changes v1->v2:
> > - Fix commit message.
> > Changes v2->v3:
> > - athentication -> authentication (gah!)
>
> Applied to master, thanks.
Since you're looking at dropbear, could you review the following
patches:
http://patchwork.ozlabs.org/patch/909724/
http://patchwork.ozlabs.org/patch/884051/
The former looks OK to me, but the latter seems less OK as I'm not sure
we want to handle this specifically for dropbear: there are other SSH
servers as well. Let me know if you see a reason to have that second
patch.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-06-30 20:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-28 20:19 [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected Carlos Santos
2018-06-29 4:36 ` Baruch Siach
2018-06-29 10:58 ` [Buildroot] [PATCH v2] " Carlos Santos
2018-06-29 11:50 ` Baruch Siach
2018-06-29 12:21 ` [Buildroot] [PATCH v3] dropbear: enable PAM authentication " Carlos Santos
2018-06-30 16:32 ` Thomas Petazzoni
2018-06-30 20:39 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.