diff --git a/man/tinysshnoneauthd.8 b/man/tinysshnoneauthd.8
new file mode 100644
index 0000000000000000000000000000000000000000..aad99ba96aada364c009e4739f351551744d6466
--- /dev/null
+++ b/man/tinysshnoneauthd.8
@@ -0,0 +1,49 @@
+.TH tinysshnoneauthd 8
+.SH NAME
+tinysshnoneauthd \- Tiny SSH daemon with 'none' auth. enabled
+.SH SYNOPSIS
+.B tinysshnoneauthd
+[ options ]
+.I keydir
+.SH DESCRIPTION
+.B tinysshnoneauthd
+creates encrypted (but not auhenticated) SSH connection.
+It's used to protect older protocols which uses e.g. telnet etc.
+.SH OPTIONS
+.TP
+.B \-q
+no error messages
+.TP
+.B \-Q
+print error messages (default)
+.TP
+.B \-v
+print extra information
+.TP
+.B \-l
+use syslog instead of standard error output (useful for running from inetd)
+.TP
+.B \-L
+don't use syslog, use standard error output (default)
+.TP
+.B \-e \fIcommand
+execute the given command instead of spawning the shell (disables \fIexec\fR/\fIsubsystem\fR channel requests)
+.TP
+.I keydir
+directory containing TinySSH keys, typically /etc/tinyssh/sshkeydir
+.SH EXAMPLES
+.TP
+.B TCPSERVER
+useradd tinysshnoneauth
+mkdir -p /home/tinysshnoneauth/
+tinysshd-makekey /home/tinysshnoneauth/sshkeydir
+chown -R tinysshnoneauth /home/tinysshnoneauth/sshkeydir
+envuidgid tinysshnoneauth tcpserver -UHRDl0 0 2222 /usr/sbin/tinysshnoneauthd -vv -e 'cat /etc/motd' /home/tinysshnoneauth/sshkeydir
+.SH SEE ALSO
+.BR tinysshd (8),
+.BR tinysshd\-makekey (8),
+.BR tinysshd\-printkey (8)
+.sp
+.nf
+https://tinyssh.org/
+.fi
diff --git a/tinyssh/TARGETS b/tinyssh/TARGETS
index 57fadf06bc953ed40ec27cdd37760ce85bd5f2ce..70c67432c3b314866b0e27690bda347677febcb7 100644
--- a/tinyssh/TARGETS
+++ b/tinyssh/TARGETS
@@ -1,3 +1,4 @@
tinysshd
+tinysshnoneauthd
tinysshd-makekey
tinysshd-printkey
diff --git a/tinyssh/main.h b/tinyssh/main.h
index dcc4191a51d462da37892c731436da65f2a7067d..6563275f0c8b77a18b2a98bdb59979c103cca70f 100644
--- a/tinyssh/main.h
+++ b/tinyssh/main.h
@@ -1,7 +1,7 @@
#ifndef _MAIN_H____
#define _MAIN_H____
-extern int main_tinysshd(int, char **);
+extern int main_tinysshd(int, char **, const char *);
extern int main_tinysshd_printkey(int, char **);
extern int main_tinysshd_makekey(int, char **);
diff --git a/tinyssh/main_tinysshd.c b/tinyssh/main_tinysshd.c
index 69235474c4ca5c39afdd7338b489d5ac9eb6c1a0..af952b5e98239fdbd2c56194c96360e6f0644f0a 100644
--- a/tinyssh/main_tinysshd.c
+++ b/tinyssh/main_tinysshd.c
@@ -25,15 +25,15 @@ Public domain.
#include "global.h"
#include "connectioninfo.h"
#include "die.h"
+#include "str.h"
#include "main.h"
-#define USAGE "usage: tinysshd [options] keydir"
-
static unsigned int cryptotypeselected = sshcrypto_TYPENEWCRYPTO | sshcrypto_TYPEPQCRYPTO;
static int flagverbose = 1;
static int fdwd;
static int flaglogger = 0;
static const char *customcmd = 0;
+static int flagnoneauth = 0;
static struct buf b1 = {global_bspace1, 0, sizeof global_bspace1};
static struct buf b2 = {global_bspace2, 0, sizeof global_bspace2};
@@ -50,8 +50,7 @@ static void trigger(int x) {
x = write(selfpipe[1], "", 1);
}
-
-int main_tinysshd(int argc, char **argv) {
+int main_tinysshd(int argc, char **argv, const char *binaryname) {
char *x;
const char *keydir = 0;
@@ -65,14 +64,22 @@ int main_tinysshd(int argc, char **argv) {
struct pollfd *watchfromchild2;
struct pollfd *watchselfpipe;
int exitsignal, exitcode;
+ long long binarynamelen = str_len(binaryname);
+ const char *usage;
signal(SIGPIPE, SIG_IGN);
signal(SIGALRM, timeout);
- log_init(0, "tinysshd", 0, 0);
+ log_init(0, binaryname, 0, 0);
+ if (str_equaln(binaryname, binarynamelen, "tinysshnoneauthd")) {
+ usage = "usage: tinysshnoneauthd [options] keydir";
+ }
+ else {
+ usage = "usage: tinysshd [options] keydir";
+ }
- if (argc < 2) die_usage(USAGE);
- if (!argv[0]) die_usage(USAGE);
+ if (argc < 2) die_usage(usage);
+ if (!argv[0]) die_usage(usage);
for (;;) {
if (!argv[1]) break;
if (argv[1][0] != '-') break;
@@ -100,12 +107,18 @@ int main_tinysshd(int argc, char **argv) {
if (argv[1]) { customcmd = *++argv; break; }
}
- die_usage(USAGE);
+ die_usage(usage);
}
}
- keydir = *++argv; if (!keydir) die_usage(USAGE);
+ keydir = *++argv; if (!keydir) die_usage(usage);
+
+ log_init(flagverbose, binaryname, 1, flaglogger);
- log_init(flagverbose, "tinysshd", 1, flaglogger);
+ if (str_equaln(binaryname, binarynamelen, "tinysshnoneauthd")) {
+ if (!customcmd) die_fatal("rejecting to run without -e customprogram", 0, 0);
+ if (geteuid() == 0) die_fatal("rejecting to run under UID=0", 0, 0);
+ flagnoneauth = 1;
+ }
connectioninfo(channel.localip, channel.localport, channel.remoteip, channel.remoteport);
log_i4("connection from ", channel.remoteip, ":", channel.remoteport);
@@ -171,7 +184,7 @@ rekeying:
/* authentication + authorization */
if (packet.flagauthorized == 0) {
- if (!packet_auth(&b1, &b2)) die_fatal("authentication failed", 0, 0);
+ if (!packet_auth(&b1, &b2, flagnoneauth)) die_fatal("authentication failed", 0, 0);
packet.flagauthorized = 1;
}
diff --git a/tinyssh/packet.h b/tinyssh/packet.h
index 34e0bde27f31653b9a8318cd52d5e5031d78ab1c..cc79cdb1a0de5fdcf6e4227957e5c3d897ede6cd 100644
--- a/tinyssh/packet.h
+++ b/tinyssh/packet.h
@@ -104,7 +104,7 @@ extern int packet_kex_receive(void);
extern int packet_kexdh(const char *, struct buf *, struct buf *);
/* packet_auth.c */
-extern int packet_auth(struct buf *, struct buf *);
+extern int packet_auth(struct buf *, struct buf *, int);
/* packet_channel_open.c */
extern int packet_channel_open(struct buf *, struct buf *);
diff --git a/tinyssh/packet_auth.c b/tinyssh/packet_auth.c
index 9e5a0cf6d3be499fb4526a1be3338da38c9484f8..b2ac838c45c913bd5720de442df0edfcd1d8219f 100644
--- a/tinyssh/packet_auth.c
+++ b/tinyssh/packet_auth.c
@@ -4,6 +4,7 @@ Jan Mojzis
Public domain.
*/
+#include <pwd.h>
#include "buf.h"
#include "ssh.h"
#include "e.h"
@@ -16,7 +17,8 @@ Public domain.
#include "log.h"
#include "packet.h"
-int packet_auth(struct buf *b, struct buf *b2) {
+
+int packet_auth(struct buf *b, struct buf *b2, int flagnoneauth) {
crypto_uint8 ch, flagsignature;
long long pos, i, count, sign_bytes = 0;
@@ -68,7 +70,20 @@ int packet_auth(struct buf *b, struct buf *b2) {
pos = packetparser_uint32(b->buf, b->len, pos, &len); /* publickey/password/hostbased/none */
pos = packetparser_skip(b->buf, b->len, pos, len);
- if (str_equaln((char *)b->buf + pos - len, len, "none")) pkname = "none";
+ if (str_equaln((char *)b->buf + pos - len, len, "none")) {
+ /*
+ if auth. none is enabled get the user from UID
+ */
+ if (flagnoneauth) {
+ struct passwd *pw;
+ pkname = "none";
+ pw = getpwuid(geteuid());
+ if (!pw) bug();
+ str_copyn(packet.name, sizeof packet.name, pw->pw_name);
+ b->len = 0; b->buf[0] = 0;
+ goto authorized;
+ }
+ }
if (str_equaln((char *)b->buf + pos - len, len, "password")) pkname = "password";
if (str_equaln((char *)b->buf + pos - len, len, "hostbased")) pkname = "hostbased";
if (str_equaln((char *)b->buf + pos - len, len, "publickey")) {
diff --git a/tinyssh/tinysshd.c b/tinyssh/tinysshd.c
index c8ca4e421c1de5fb6cc4d2645a2107aa42ef84c1..d7a98b4fe9f85362f42f7f65e0a60488861e8457 100644
--- a/tinyssh/tinysshd.c
+++ b/tinyssh/tinysshd.c
@@ -41,8 +41,11 @@ int main(int argc, char **argv) {
else if (str_equaln(x, xlen, "tinysshd-makekey")){
return main_tinysshd_makekey(argc, argv);
}
+ else if (str_equaln(x, xlen, "tinysshnoneauthd")){
+ return main_tinysshd(argc, argv, "tinysshnoneauthd");
+ }
else {
- return main_tinysshd(argc, argv);
+ return main_tinysshd(argc, argv, "tinysshd");
}
_exit(111);
diff --git a/tinyssh/tinysshnoneauthd.c b/tinyssh/tinysshnoneauthd.c
new file mode 120000
index 0000000000000000000000000000000000000000..531c8353925abcd7849791fdfc8d74c85e242127
--- /dev/null
+++ b/tinyssh/tinysshnoneauthd.c
@@ -0,0 +1 @@
+tinysshd.c
\ No newline at end of file
diff --git a/tinyssh/tinysshnoneauthd.exp b/tinyssh/tinysshnoneauthd.exp
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/tinyssh/tinysshnoneauthd.rts b/tinyssh/tinysshnoneauthd.rts
new file mode 100644
index 0000000000000000000000000000000000000000..039e4d0069c5c26909f86c505b9de66182e6d1f3
--- /dev/null
+++ b/tinyssh/tinysshnoneauthd.rts
@@ -0,0 +1,2 @@
+#!/bin/sh
+exit 0