diff --git a/man/tinysshnoneauthd.8 b/man/tinysshnoneauthd.8 new file mode 100644 index 0000000000000000000000000000000000000000..aad99ba96aada364c009e4739f351551744d6466 --- /dev/null +++ b/man/tinysshnoneauthd.8 @@ -0,0 +1,49 @@ +.TH tinysshnoneauthd 8 +.SH NAME +tinysshnoneauthd \- Tiny SSH daemon with 'none' auth. enabled +.SH SYNOPSIS +.B tinysshnoneauthd +[ options ] +.I keydir +.SH DESCRIPTION +.B tinysshnoneauthd +creates encrypted (but not auhenticated) SSH connection. +It's used to protect older protocols which uses e.g. telnet etc. +.SH OPTIONS +.TP +.B \-q +no error messages +.TP +.B \-Q +print error messages (default) +.TP +.B \-v +print extra information +.TP +.B \-l +use syslog instead of standard error output (useful for running from inetd) +.TP +.B \-L +don't use syslog, use standard error output (default) +.TP +.B \-e \fIcommand +execute the given command instead of spawning the shell (disables \fIexec\fR/\fIsubsystem\fR channel requests) +.TP +.I keydir +directory containing TinySSH keys, typically /etc/tinyssh/sshkeydir +.SH EXAMPLES +.TP +.B TCPSERVER +useradd tinysshnoneauth +mkdir -p /home/tinysshnoneauth/ +tinysshd-makekey /home/tinysshnoneauth/sshkeydir +chown -R tinysshnoneauth /home/tinysshnoneauth/sshkeydir +envuidgid tinysshnoneauth tcpserver -UHRDl0 0 2222 /usr/sbin/tinysshnoneauthd -vv -e 'cat /etc/motd' /home/tinysshnoneauth/sshkeydir +.SH SEE ALSO +.BR tinysshd (8), +.BR tinysshd\-makekey (8), +.BR tinysshd\-printkey (8) +.sp +.nf +https://tinyssh.org/ +.fi diff --git a/tinyssh/TARGETS b/tinyssh/TARGETS index 57fadf06bc953ed40ec27cdd37760ce85bd5f2ce..70c67432c3b314866b0e27690bda347677febcb7 100644 --- a/tinyssh/TARGETS +++ b/tinyssh/TARGETS @@ -1,3 +1,4 @@ tinysshd +tinysshnoneauthd tinysshd-makekey tinysshd-printkey diff --git a/tinyssh/main.h b/tinyssh/main.h index dcc4191a51d462da37892c731436da65f2a7067d..6563275f0c8b77a18b2a98bdb59979c103cca70f 100644 --- a/tinyssh/main.h +++ b/tinyssh/main.h @@ -1,7 +1,7 @@ #ifndef _MAIN_H____ #define _MAIN_H____ -extern int main_tinysshd(int, char **); +extern int main_tinysshd(int, char **, const char *); extern int main_tinysshd_printkey(int, char **); extern int main_tinysshd_makekey(int, char **); diff --git a/tinyssh/main_tinysshd.c b/tinyssh/main_tinysshd.c index 69235474c4ca5c39afdd7338b489d5ac9eb6c1a0..af952b5e98239fdbd2c56194c96360e6f0644f0a 100644 --- a/tinyssh/main_tinysshd.c +++ b/tinyssh/main_tinysshd.c @@ -25,15 +25,15 @@ Public domain. #include "global.h" #include "connectioninfo.h" #include "die.h" +#include "str.h" #include "main.h" -#define USAGE "usage: tinysshd [options] keydir" - static unsigned int cryptotypeselected = sshcrypto_TYPENEWCRYPTO | sshcrypto_TYPEPQCRYPTO; static int flagverbose = 1; static int fdwd; static int flaglogger = 0; static const char *customcmd = 0; +static int flagnoneauth = 0; static struct buf b1 = {global_bspace1, 0, sizeof global_bspace1}; static struct buf b2 = {global_bspace2, 0, sizeof global_bspace2}; @@ -50,8 +50,7 @@ static void trigger(int x) { x = write(selfpipe[1], "", 1); } - -int main_tinysshd(int argc, char **argv) { +int main_tinysshd(int argc, char **argv, const char *binaryname) { char *x; const char *keydir = 0; @@ -65,14 +64,22 @@ int main_tinysshd(int argc, char **argv) { struct pollfd *watchfromchild2; struct pollfd *watchselfpipe; int exitsignal, exitcode; + long long binarynamelen = str_len(binaryname); + const char *usage; signal(SIGPIPE, SIG_IGN); signal(SIGALRM, timeout); - log_init(0, "tinysshd", 0, 0); + log_init(0, binaryname, 0, 0); + if (str_equaln(binaryname, binarynamelen, "tinysshnoneauthd")) { + usage = "usage: tinysshnoneauthd [options] keydir"; + } + else { + usage = "usage: tinysshd [options] keydir"; + } - if (argc < 2) die_usage(USAGE); - if (!argv[0]) die_usage(USAGE); + if (argc < 2) die_usage(usage); + if (!argv[0]) die_usage(usage); for (;;) { if (!argv[1]) break; if (argv[1][0] != '-') break; @@ -100,12 +107,18 @@ int main_tinysshd(int argc, char **argv) { if (argv[1]) { customcmd = *++argv; break; } } - die_usage(USAGE); + die_usage(usage); } } - keydir = *++argv; if (!keydir) die_usage(USAGE); + keydir = *++argv; if (!keydir) die_usage(usage); + + log_init(flagverbose, binaryname, 1, flaglogger); - log_init(flagverbose, "tinysshd", 1, flaglogger); + if (str_equaln(binaryname, binarynamelen, "tinysshnoneauthd")) { + if (!customcmd) die_fatal("rejecting to run without -e customprogram", 0, 0); + if (geteuid() == 0) die_fatal("rejecting to run under UID=0", 0, 0); + flagnoneauth = 1; + } connectioninfo(channel.localip, channel.localport, channel.remoteip, channel.remoteport); log_i4("connection from ", channel.remoteip, ":", channel.remoteport); @@ -171,7 +184,7 @@ rekeying: /* authentication + authorization */ if (packet.flagauthorized == 0) { - if (!packet_auth(&b1, &b2)) die_fatal("authentication failed", 0, 0); + if (!packet_auth(&b1, &b2, flagnoneauth)) die_fatal("authentication failed", 0, 0); packet.flagauthorized = 1; } diff --git a/tinyssh/packet.h b/tinyssh/packet.h index 34e0bde27f31653b9a8318cd52d5e5031d78ab1c..cc79cdb1a0de5fdcf6e4227957e5c3d897ede6cd 100644 --- a/tinyssh/packet.h +++ b/tinyssh/packet.h @@ -104,7 +104,7 @@ extern int packet_kex_receive(void); extern int packet_kexdh(const char *, struct buf *, struct buf *); /* packet_auth.c */ -extern int packet_auth(struct buf *, struct buf *); +extern int packet_auth(struct buf *, struct buf *, int); /* packet_channel_open.c */ extern int packet_channel_open(struct buf *, struct buf *); diff --git a/tinyssh/packet_auth.c b/tinyssh/packet_auth.c index 9e5a0cf6d3be499fb4526a1be3338da38c9484f8..b2ac838c45c913bd5720de442df0edfcd1d8219f 100644 --- a/tinyssh/packet_auth.c +++ b/tinyssh/packet_auth.c @@ -4,6 +4,7 @@ Jan Mojzis Public domain. */ +#include <pwd.h> #include "buf.h" #include "ssh.h" #include "e.h" @@ -16,7 +17,8 @@ Public domain. #include "log.h" #include "packet.h" -int packet_auth(struct buf *b, struct buf *b2) { + +int packet_auth(struct buf *b, struct buf *b2, int flagnoneauth) { crypto_uint8 ch, flagsignature; long long pos, i, count, sign_bytes = 0; @@ -68,7 +70,20 @@ int packet_auth(struct buf *b, struct buf *b2) { pos = packetparser_uint32(b->buf, b->len, pos, &len); /* publickey/password/hostbased/none */ pos = packetparser_skip(b->buf, b->len, pos, len); - if (str_equaln((char *)b->buf + pos - len, len, "none")) pkname = "none"; + if (str_equaln((char *)b->buf + pos - len, len, "none")) { + /* + if auth. none is enabled get the user from UID + */ + if (flagnoneauth) { + struct passwd *pw; + pkname = "none"; + pw = getpwuid(geteuid()); + if (!pw) bug(); + str_copyn(packet.name, sizeof packet.name, pw->pw_name); + b->len = 0; b->buf[0] = 0; + goto authorized; + } + } if (str_equaln((char *)b->buf + pos - len, len, "password")) pkname = "password"; if (str_equaln((char *)b->buf + pos - len, len, "hostbased")) pkname = "hostbased"; if (str_equaln((char *)b->buf + pos - len, len, "publickey")) { diff --git a/tinyssh/tinysshd.c b/tinyssh/tinysshd.c index c8ca4e421c1de5fb6cc4d2645a2107aa42ef84c1..d7a98b4fe9f85362f42f7f65e0a60488861e8457 100644 --- a/tinyssh/tinysshd.c +++ b/tinyssh/tinysshd.c @@ -41,8 +41,11 @@ int main(int argc, char **argv) { else if (str_equaln(x, xlen, "tinysshd-makekey")){ return main_tinysshd_makekey(argc, argv); } + else if (str_equaln(x, xlen, "tinysshnoneauthd")){ + return main_tinysshd(argc, argv, "tinysshnoneauthd"); + } else { - return main_tinysshd(argc, argv); + return main_tinysshd(argc, argv, "tinysshd"); } _exit(111); diff --git a/tinyssh/tinysshnoneauthd.c b/tinyssh/tinysshnoneauthd.c new file mode 120000 index 0000000000000000000000000000000000000000..531c8353925abcd7849791fdfc8d74c85e242127 --- /dev/null +++ b/tinyssh/tinysshnoneauthd.c @@ -0,0 +1 @@ +tinysshd.c \ No newline at end of file diff --git a/tinyssh/tinysshnoneauthd.exp b/tinyssh/tinysshnoneauthd.exp new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/tinyssh/tinysshnoneauthd.rts b/tinyssh/tinysshnoneauthd.rts new file mode 100644 index 0000000000000000000000000000000000000000..039e4d0069c5c26909f86c505b9de66182e6d1f3 --- /dev/null +++ b/tinyssh/tinysshnoneauthd.rts @@ -0,0 +1,2 @@ +#!/bin/sh +exit 0