From 7c2e8fcd0d162d2ba9fac116f96a5e82ac77f11c Mon Sep 17 00:00:00 2001
From: Manfred Kaiser <manfred.kaiser@bmlv.gv.at>
Date: Thu, 17 Jun 2021 11:11:03 +0200
Subject: [PATCH 1/3] added option to disable trivial auth methods

---
 cli-auth.c         | 3 +++
 cli-authinteract.c | 1 +
 cli-authpasswd.c   | 2 +-
 cli-authpubkey.c   | 1 +
 cli-runopts.c      | 7 +++++++
 cli-session.c      | 1 +
 runopts.h          | 1 +
 session.h          | 1 +
 8 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cli-auth.c b/cli-auth.c
index 5fcacc3a7..20cb34857 100644
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -261,6 +261,9 @@ void recv_msg_userauth_success() {
 	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
 
 	TRACE(("received msg_userauth_success"))
+	if (cli_opts.exit_on_trivial_auth && cli_ses.is_trivial_auth) {
+		dropbear_exit("trivial authentication not allowed");
+	}
 	/* Note: in delayed-zlib mode, setting authdone here 
 	 * will enable compression in the transport layer */
 	ses.authstate.authdone = 1;
diff --git a/cli-authinteract.c b/cli-authinteract.c
index e1cc9a161..f7128ee59 100644
--- a/cli-authinteract.c
+++ b/cli-authinteract.c
@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
 	m_free(instruction);
 
 	for (i = 0; i < num_prompts; i++) {
+		cli_ses.is_trivial_auth = 0;
 		unsigned int response_len = 0;
 		prompt = buf_getstring(ses.payload, NULL);
 		cleantext(prompt);
diff --git a/cli-authpasswd.c b/cli-authpasswd.c
index 00fdd8bc4..a24d43efa 100644
--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
@@ -155,7 +155,7 @@ void cli_auth_password() {
 
 	encrypt_packet();
 	m_burn(password, strlen(password));
-
+	cli_ses.is_trivial_auth = 0;
 	TRACE(("leave cli_auth_password"))
 }
 #endif	/* DROPBEAR_CLI_PASSWORD_AUTH */
diff --git a/cli-authpubkey.c b/cli-authpubkey.c
index 28c54fa9b..bdb855880 100644
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -266,6 +266,7 @@ int cli_auth_pubkey() {
 		/* Send a trial request */
 		send_msg_userauth_pubkey(key, sigtype, 0);
 		cli_ses.lastprivkey = key;
+		cli_ses.is_trivial_auth = 0;
 		TRACE(("leave cli_auth_pubkey-success"))
 		return 1;
 	} else {
diff --git a/cli-runopts.c b/cli-runopts.c
index 3654b9a32..da3ad3d3e 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
 #if DROPBEAR_CLI_ANYTCPFWD
 	cli_opts.exit_on_fwd_failure = 0;
 #endif
+	cli_opts.exit_on_trivial_auth = 0;
 #if DROPBEAR_CLI_LOCALTCPFWD
 	cli_opts.localfwds = list_new();
 	opts.listen_fwd_all = 0;
@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
 #if DROPBEAR_CLI_ANYTCPFWD
 			"\tExitOnForwardFailure\n"
 #endif
+			"\tExitOnTrivialAuth\n"
 #ifndef DISABLE_SYSLOG
 			"\tUseSyslog\n"
 #endif
@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
 		return;
 	}
 
+	if (match_extendedopt(&optstr, "ExitOnTrivialAuth") == DROPBEAR_SUCCESS) {
+		cli_opts.exit_on_trivial_auth = parse_flag_value(optstr);
+		return;
+	}
+
 	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
 }
diff --git a/cli-session.c b/cli-session.c
index 699286db1..eee760e74 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
 	/* Auth */
 	cli_ses.lastprivkey = NULL;
 	cli_ses.lastauthtype = 0;
+	cli_ses.is_trivial_auth = 1;
 
 	/* For printing "remote host closed" for the user */
 	ses.remoteclosed = cli_remoteclosed;
diff --git a/runopts.h b/runopts.h
index 6a4a94ccd..c626b0e7a 100644
--- a/runopts.h
+++ b/runopts.h
@@ -159,6 +159,7 @@ typedef struct cli_runopts {
 #if DROPBEAR_CLI_ANYTCPFWD
 	int exit_on_fwd_failure;
 #endif
+	int exit_on_trivial_auth;
 #if DROPBEAR_CLI_REMOTETCPFWD
 	m_list * remotefwds;
 #endif
diff --git a/session.h b/session.h
index fb5b8cbb6..6706592a8 100644
--- a/session.h
+++ b/session.h
@@ -316,6 +316,7 @@ struct clientsession {
 
 	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
 						 for the last type of auth we tried */
+	int is_trivial_auth;
 	int ignore_next_auth_response;
 #if DROPBEAR_CLI_INTERACT_AUTH
 	int auth_interact_failed; /* flag whether interactive auth can still

From adbdb213eb0fe3e982cc57d7ae882c1915bef818 Mon Sep 17 00:00:00 2001
From: Manfred Kaiser <manfred.kaiser@bmlv.gv.at>
Date: Fri, 18 Jun 2021 07:48:47 +0200
Subject: [PATCH 2/3] rename argument to match with other ssh clients

---
 cli-auth.c    | 2 +-
 cli-runopts.c | 8 ++++----
 runopts.h     | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cli-auth.c b/cli-auth.c
index 20cb34857..517923052 100644
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -261,7 +261,7 @@ void recv_msg_userauth_success() {
 	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
 
 	TRACE(("received msg_userauth_success"))
-	if (cli_opts.exit_on_trivial_auth && cli_ses.is_trivial_auth) {
+	if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
 		dropbear_exit("trivial authentication not allowed");
 	}
 	/* Note: in delayed-zlib mode, setting authdone here 
diff --git a/cli-runopts.c b/cli-runopts.c
index da3ad3d3e..255b47e8a 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -152,7 +152,7 @@ void cli_getopts(int argc, char ** argv) {
 #if DROPBEAR_CLI_ANYTCPFWD
 	cli_opts.exit_on_fwd_failure = 0;
 #endif
-	cli_opts.exit_on_trivial_auth = 0;
+	cli_opts.disable_trivial_auth = 0;
 #if DROPBEAR_CLI_LOCALTCPFWD
 	cli_opts.localfwds = list_new();
 	opts.listen_fwd_all = 0;
@@ -890,7 +890,7 @@ static void add_extendedopt(const char* origstr) {
 #if DROPBEAR_CLI_ANYTCPFWD
 			"\tExitOnForwardFailure\n"
 #endif
-			"\tExitOnTrivialAuth\n"
+			"\tDisableTrivialAuth\n"
 #ifndef DISABLE_SYSLOG
 			"\tUseSyslog\n"
 #endif
@@ -918,8 +918,8 @@ static void add_extendedopt(const char* origstr) {
 		return;
 	}
 
-	if (match_extendedopt(&optstr, "ExitOnTrivialAuth") == DROPBEAR_SUCCESS) {
-		cli_opts.exit_on_trivial_auth = parse_flag_value(optstr);
+	if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
+		cli_opts.disable_trivial_auth = parse_flag_value(optstr);
 		return;
 	}
 
diff --git a/runopts.h b/runopts.h
index c626b0e7a..01201d2dc 100644
--- a/runopts.h
+++ b/runopts.h
@@ -159,7 +159,7 @@ typedef struct cli_runopts {
 #if DROPBEAR_CLI_ANYTCPFWD
 	int exit_on_fwd_failure;
 #endif
-	int exit_on_trivial_auth;
+	int disable_trivial_auth;
 #if DROPBEAR_CLI_REMOTETCPFWD
 	m_list * remotefwds;
 #endif

From 318109125e747f0bc256a6d94d5756030ea2f5a0 Mon Sep 17 00:00:00 2001
From: Manfred Kaiser <manfred.kaiser@logfile.at>
Date: Thu, 1 Jul 2021 18:50:18 +0200
Subject: [PATCH 3/3] fixed trivial auth detection for pubkeys

---
 cli-authpubkey.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli-authpubkey.c b/cli-authpubkey.c
index bdb855880..c0da77f1e 100644
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
 		buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
 		cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
 		buf_free(sigbuf); /* Nothing confidential in the buffer */
+		cli_ses.is_trivial_auth = 0;
 	}
 
 	encrypt_packet();
@@ -266,7 +267,6 @@ int cli_auth_pubkey() {
 		/* Send a trial request */
 		send_msg_userauth_pubkey(key, sigtype, 0);
 		cli_ses.lastprivkey = key;
-		cli_ses.is_trivial_auth = 0;
 		TRACE(("leave cli_auth_pubkey-success"))
 		return 1;
 	} else {