[Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected
@ 2018-06-28 20:19 Carlos Santos
  2018-06-29  4:36 ` Baruch Siach
  0 siblings, 1 reply; 7+ messages in thread
From: Carlos Santos @ 2018-06-28 20:19 UTC (permalink / raw)
  To: buildroot

- Disable password file athentication, since it's not possible to have
  both at once.
- Install a /etc/pam.d/sshd file, based on the ofe from from openssh.

Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
 package/dropbear/dropbear.mk    | 14 ++++++++++++++
 package/dropbear/etc-pam.d-sshd |  7 +++++++
 2 files changed, 21 insertions(+)
 create mode 100644 package/dropbear/etc-pam.d-sshd

diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
 DROPBEAR_CONF_OPTS += --disable-static
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+	echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0'     >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SVR_PAM_AUTH 1'          >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+	$(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
 # Ensure that dropbear doesn't use crypt() when it's not available
 define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#if !HAVE_CRYPT'                          >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#endif'                                   >> $(@D)/localoptions.h
 endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
 
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth       required     pam_unix.so shadow nodelay
+account    required     pam_nologin.so
+account    required     pam_unix.so
+password   required     pam_unix.so shadow nullok use_authtok
+session    required     pam_unix.so
+session    required     pam_limits.so
-- 
2.14.4

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected
  2018-06-28 20:19 [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected Carlos Santos
@ 2018-06-29  4:36 ` Baruch Siach
  2018-06-29 10:58   ` [Buildroot] [PATCH v2] " Carlos Santos
  0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2018-06-29  4:36 UTC (permalink / raw)
  To: buildroot

Hi Carlos,

On Thu, Jun 28, 2018 at 05:19:44PM -0300, Carlos Santos wrote:
> - Disable password file athentication, since it's not possible to have
>   both at once.
> - Install a /etc/pam.d/sshd file, based on the ofe from from openssh.

Something went wrong in this sentence.

> Signed-off-by: Carlos Santos <casantos@datacom.com.br>

Reviewed-by: Baruch Siach <baruch@tkos.co.il>

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH v2] dropbear: enable PAM athentication if linux-pam is selected
  2018-06-29  4:36 ` Baruch Siach
@ 2018-06-29 10:58   ` Carlos Santos
  2018-06-29 11:50     ` Baruch Siach
  0 siblings, 1 reply; 7+ messages in thread
From: Carlos Santos @ 2018-06-29 10:58 UTC (permalink / raw)
  To: buildroot

- Disable password file athentication, since it's not possible to have
  both at once.
- Install a /etc/pam.d/sshd file, based on the one installed by openssh.

Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
Changes v1->v2:
- Fix commit message.
---
 package/dropbear/dropbear.mk    | 14 ++++++++++++++
 package/dropbear/etc-pam.d-sshd |  7 +++++++
 2 files changed, 21 insertions(+)
 create mode 100644 package/dropbear/etc-pam.d-sshd

diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
 DROPBEAR_CONF_OPTS += --disable-static
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+	echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0'     >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SVR_PAM_AUTH 1'          >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+	$(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
 # Ensure that dropbear doesn't use crypt() when it's not available
 define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#if !HAVE_CRYPT'                          >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#endif'                                   >> $(@D)/localoptions.h
 endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
 
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth       required     pam_unix.so shadow nodelay
+account    required     pam_nologin.so
+account    required     pam_unix.so
+password   required     pam_unix.so shadow nullok use_authtok
+session    required     pam_unix.so
+session    required     pam_limits.so
-- 
2.14.4

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH v2] dropbear: enable PAM athentication if linux-pam is selected
  2018-06-29 10:58   ` [Buildroot] [PATCH v2] " Carlos Santos
@ 2018-06-29 11:50     ` Baruch Siach
  2018-06-29 12:21       ` [Buildroot] [PATCH v3] dropbear: enable PAM authentication " Carlos Santos
  0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2018-06-29 11:50 UTC (permalink / raw)
  To: buildroot

Hi Carlos,

On Fri, Jun 29, 2018 at 07:58:18AM -0300, Carlos Santos wrote:
> - Disable password file athentication, since it's not possible to have
>   both at once.
> - Install a /etc/pam.d/sshd file, based on the one installed by openssh.
> 
> Signed-off-by: Carlos Santos <casantos@datacom.com.br>

Reviewed-by: Baruch Siach <baruch@tkos.co.il>

Please keep the review tag in subsequent patch submissions.

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH v3] dropbear: enable PAM authentication if linux-pam is selected
  2018-06-29 11:50     ` Baruch Siach
@ 2018-06-29 12:21       ` Carlos Santos
  2018-06-30 16:32         ` Thomas Petazzoni
  0 siblings, 1 reply; 7+ messages in thread
From: Carlos Santos @ 2018-06-29 12:21 UTC (permalink / raw)
  To: buildroot

- Disable password file authentication, since it's not possible to have
  both at once.
- Install a /etc/pam.d/sshd file, based on the one installed by openssh.

Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
---
Changes v1->v2:
- Fix commit message.
Changes v2->v3:
- athentication -> authentication (gah!)

---
Change-Id: Ic62953e03b598bceb6374eb40436f908ab5d07ee
---
 package/dropbear/dropbear.mk    | 14 ++++++++++++++
 package/dropbear/etc-pam.d-sshd |  7 +++++++
 2 files changed, 21 insertions(+)
 create mode 100644 package/dropbear/etc-pam.d-sshd

diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
 DROPBEAR_CONF_OPTS += --disable-static
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+	echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0'     >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SVR_PAM_AUTH 1'          >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+	$(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
 # Ensure that dropbear doesn't use crypt() when it's not available
 define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#if !HAVE_CRYPT'                          >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#endif'                                   >> $(@D)/localoptions.h
 endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
 
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth       required     pam_unix.so shadow nodelay
+account    required     pam_nologin.so
+account    required     pam_unix.so
+password   required     pam_unix.so shadow nullok use_authtok
+session    required     pam_unix.so
+session    required     pam_limits.so
-- 
2.14.4

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH v3] dropbear: enable PAM authentication if linux-pam is selected
  2018-06-29 12:21       ` [Buildroot] [PATCH v3] dropbear: enable PAM authentication " Carlos Santos
@ 2018-06-30 16:32         ` Thomas Petazzoni
  2018-06-30 20:39           ` Thomas Petazzoni
  0 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2018-06-30 16:32 UTC (permalink / raw)
  To: buildroot

Hello,

On Fri, 29 Jun 2018 09:21:09 -0300, Carlos Santos wrote:
> - Disable password file authentication, since it's not possible to have
>   both at once.
> - Install a /etc/pam.d/sshd file, based on the one installed by openssh.
> 
> Signed-off-by: Carlos Santos <casantos@datacom.com.br>
> Reviewed-by: Baruch Siach <baruch@tkos.co.il>
> ---
> Changes v1->v2:
> - Fix commit message.
> Changes v2->v3:
> - athentication -> authentication (gah!)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH v3] dropbear: enable PAM authentication if linux-pam is selected
  2018-06-30 16:32         ` Thomas Petazzoni
@ 2018-06-30 20:39           ` Thomas Petazzoni
  0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2018-06-30 20:39 UTC (permalink / raw)
  To: buildroot

Carlos, Baruch,

On Sat, 30 Jun 2018 18:32:26 +0200, Thomas Petazzoni wrote:

> On Fri, 29 Jun 2018 09:21:09 -0300, Carlos Santos wrote:
> > - Disable password file authentication, since it's not possible to have
> >   both at once.
> > - Install a /etc/pam.d/sshd file, based on the one installed by openssh.
> > 
> > Signed-off-by: Carlos Santos <casantos@datacom.com.br>
> > Reviewed-by: Baruch Siach <baruch@tkos.co.il>
> > ---
> > Changes v1->v2:
> > - Fix commit message.
> > Changes v2->v3:
> > - athentication -> authentication (gah!)  
> 
> Applied to master, thanks.

Since you're looking at dropbear, could you review the following
patches:

  http://patchwork.ozlabs.org/patch/909724/
  http://patchwork.ozlabs.org/patch/884051/

The former looks OK to me, but the latter seems less OK as I'm not sure
we want to handle this specifically for dropbear: there are other SSH
servers as well. Let me know if you see a reason to have that second
patch.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2018-06-30 20:39 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-28 20:19 [Buildroot] [PATCH] dropbear: enable PAM athentication if linux-pam is selected Carlos Santos
2018-06-29  4:36 ` Baruch Siach
2018-06-29 10:58   ` [Buildroot] [PATCH v2] " Carlos Santos
2018-06-29 11:50     ` Baruch Siach
2018-06-29 12:21       ` [Buildroot] [PATCH v3] dropbear: enable PAM authentication " Carlos Santos
2018-06-30 16:32         ` Thomas Petazzoni
2018-06-30 20:39           ` Thomas Petazzoni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.