dropbear, cvs, and checkpassword

Matt Johnston matt at ucc.asn.au
Tue Sep 6 13:04:11 WST 2005 

On Mon, Sep 05, 2005 at 10:33:43AM -0500, Andy Goth wrote:
> The developers shouldn't need shell accounts, just CVS access.
> 
> Therefore I will not be doing /etc/passwd (and /etc/shadow)
> authentication.  So I can configure openssh to disallow passwords and
> instead check keys against ~andy/cvs/users/$USERNAME/authorized_keys .
> 
> But people will want password access...
> 
> So I thought, I can modify dropbear (which looks far easier to edit than
> openssh) to use checkpassword rather than getpwwhatever().  See
> http://cr.yp.to/checkpwd.html .  Specifically I'd use cvm-checkpassword
> with cvm-pwfile; see http://untroubled.org/cvm/cvm.html .  This is what
> I use for bincimap, which I didn't need any admin help to set up.
> 
> Having a look at the sources, it seems all I need to do is:
> 
> 1. Create svr-authcheckpassword.c.
> 2. Add a #define for it.
> 3. Add to svr-auth.c some code to call my new function.

Yeah, I think that sounds fairly sane. You can probably base
it pretty closely on svr-authpasswd.c, just get rid of the
crypt() stuff etc. 

> 4. Defeat checkusername().
> For my version I'll just make a #define wrapping the call to
> checkusername(), or maybe I'll have it comment out the guts of same.  I
> don't know yet.

checkusername() is a little bit more awkward - other parts
of the code such as svr-chansession depend on the call to
getpwnam() for finding out which shell to execute, homedirs,
etc. It might be best to make it call getpwnam() on the
actual unix username, and use that.

> Of course everyone will log in as me.  For this reason I'll have to do
> something to ensure that dropbear will only run "cvs server".  I'll also
> need to look at cvs to see if it can be convinced to read or overwrite
> files not in the CVS repository.

Have a look in svr-chansession.c, for your purposes you can
probably just hardcode a program to execute. I'm not sure
how easy it is to secure CVS - I guess various other
projects seem to have set up similar things before (though
perhaps not all as a single user).

Cheers,
Matt

More information about the Dropbear mailing list