From 72412d084b8e0bb0e3317266475039aad9a0b5a8 Mon Sep 17 00:00:00 2001 From: Sergey Ponomarev Date: Sun, 24 Dec 2023 19:02:26 +0200 Subject: [PATCH] cli-runopts.c: add BatchMode option The BatchMode same as PasswordAuthentication=no but it has more priority. So you can't re-enable the PasswordAuthentication like in: dbclient -v -o BatchMode=yes -o PasswordAuthentication=yes example.com It also disables the interactive confirmation when a host key changed. Close #224 --- src/cli-auth.c | 4 ++-- src/cli-kex.c | 7 ++++++- src/cli-runopts.c | 7 +++++++ src/runopts.h | 3 +++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/cli-auth.c b/src/cli-auth.c index bd84c1aa8..62bb26511 100644 --- a/src/cli-auth.c +++ b/src/cli-auth.c @@ -245,7 +245,7 @@ void recv_msg_userauth_failure() { } #endif #if DROPBEAR_CLI_PASSWORD_AUTH - if (cli_opts.password_authentication && strncmp(AUTH_METHOD_PASSWORD, tok, + if (!cli_opts.batch_mode && cli_opts.password_authentication && strncmp(AUTH_METHOD_PASSWORD, tok, AUTH_METHOD_PASSWORD_LEN) == 0) { ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; } @@ -311,7 +311,7 @@ int cli_auth_try() { #endif #if DROPBEAR_CLI_PASSWORD_AUTH - if (!finished && cli_opts.password_authentication && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) { + if (!finished && !cli_opts.batch_mode && cli_opts.password_authentication && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) { if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); } else { diff --git a/src/cli-kex.c b/src/cli-kex.c index 6cb75c27b..ebaa843bf 100644 --- a/src/cli-kex.c +++ b/src/cli-kex.c @@ -217,11 +217,16 @@ static void ask_to_confirm(const unsigned char* keyblob, unsigned int keybloblen m_free(fp); return; } - fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(%s fingerprint %s)\nDo you want to continue connecting? (y/n) ", + + fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(%s fingerprint %s)\n", cli_opts.remotehost, algoname, fp); m_free(fp); + if (cli_opts.batch_mode) { + dropbear_exit("Didn't validate host key"); + } + fprintf(stderr, "Do you want to continue connecting? (y/n) "); tty = fopen(_PATH_TTY, "r"); if (tty) { diff --git a/src/cli-runopts.c b/src/cli-runopts.c index 4b43cd514..d3432e484 100644 --- a/src/cli-runopts.c +++ b/src/cli-runopts.c @@ -155,6 +155,7 @@ void cli_getopts(int argc, char ** argv) { #endif cli_opts.disable_trivial_auth = 0; cli_opts.password_authentication = 1; + cli_opts.batch_mode = 0; #if DROPBEAR_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { if (strcmp(origstr, "help") == 0) { dropbear_log(LOG_INFO, "Available options:\n" + "\tBatchMode\n" "\tBindAddress\n" "\tDisableTrivialAuth\n" #if DROPBEAR_CLI_ANYTCPFWD @@ -917,6 +919,11 @@ static void add_extendedopt(const char* origstr) { exit(EXIT_SUCCESS); } + if (match_extendedopt(&optstr, "BatchMode") == DROPBEAR_SUCCESS) { + cli_opts.batch_mode = parse_flag_value(optstr); + return; + } + if (match_extendedopt(&optstr, "BindAddress") == DROPBEAR_SUCCESS) { cli_opts.bind_arg = optstr; return; diff --git a/src/runopts.h b/src/runopts.h index 5356ecac0..f6972eeab 100644 --- a/src/runopts.h +++ b/src/runopts.h @@ -170,7 +170,10 @@ typedef struct cli_runopts { int exit_on_fwd_failure; #endif int disable_trivial_auth; + /** Use a password authentication or a key auth only. + For a BatchMode it's always -o PasswordAuthentication=no */ int password_authentication; + int batch_mode; #if DROPBEAR_CLI_REMOTETCPFWD m_list * remotefwds; #endif