dropbear: enable PAM authentication if linux-pam is selected

- Disable password file authentication, since it's not possible to have both at once. - Install a /etc/pam.d/sshd file, based on the one installed by openssh. Signed-off-by: Carlos Santos <casantos@datacom.com.br> Reviewed-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
author: Carlos Santos <casantos@datacom.com.br> 2018-06-29 09:21:09 -0300
committer: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-06-30 18:28:23 +0200
commit: 037b8616257067282e375edca9af19418a0e7a4a (patch)
tree: e0f725411ddfe3f813a537887d8a1a7990167df8
parent: 5b64a489bf27ae89efec6cd78d489cf0fb94ea5e (diff)
download: buildroot-037b8616257067282e375edca9af19418a0e7a4a.tar.gz
buildroot-037b8616257067282e375edca9af19418a0e7a4a.zip
2 files changed, 21 insertions, 0 deletions
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..bb902bc7ce 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -34,6 +34,19 @@ ifeq ($(BR2_SHARED_STATIC_LIBS),y)
 DROPBEAR_CONF_OPTS += --disable-static
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define DROPBEAR_SVR_PAM_AUTH
+	echo '#define DROPBEAR_SVR_PASSWORD_AUTH 0'     >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SVR_PAM_AUTH 1'          >> $(@D)/localoptions.h
+endef
+define DROPBEAR_INSTALL_PAM_CONF
+	$(INSTALL) -D -m 644 package/dropbear/etc-pam.d-sshd $(TARGET_DIR)/etc/pam.d/sshd
+endef
+DROPBEAR_DEPENDENCIES += linux-pam
+DROPBEAR_CONF_OPTS += --enable-pam
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PAM_AUTH
+DROPBEAR_POST_INSTALL_TARGET_HOOKS += DROPBEAR_INSTALL_PAM_CONF
+else
 # Ensure that dropbear doesn't use crypt() when it's not available
 define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#if !HAVE_CRYPT'                          >> $(@D)/localoptions.h
@@ -41,6 +54,7 @@ define DROPBEAR_SVR_PASSWORD_AUTH
 	echo '#endif'                                   >> $(@D)/localoptions.h
 endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+endif
 
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
diff --git a/package/dropbear/etc-pam.d-sshd b/package/dropbear/etc-pam.d-sshd
new file mode 100644
index 0000000000..5e13fc0d60
--- /dev/null
+++ b/package/dropbear/etc-pam.d-sshd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth       required     pam_unix.so shadow nodelay
+account    required     pam_nologin.so
+account    required     pam_unix.so
+password   required     pam_unix.so shadow nullok use_authtok
+session    required     pam_unix.so
+session    required     pam_limits.so
author	Carlos Santos <casantos@datacom.com.br>	2018-06-29 09:21:09 -0300
committer	Thomas Petazzoni <thomas.petazzoni@bootlin.com>	2018-06-30 18:28:23 +0200
commit	037b8616257067282e375edca9af19418a0e7a4a (patch)
tree	e0f725411ddfe3f813a537887d8a1a7990167df8
parent	5b64a489bf27ae89efec6cd78d489cf0fb94ea5e (diff)
download	buildroot-037b8616257067282e375edca9af19418a0e7a4a.tar.gz buildroot-037b8616257067282e375edca9af19418a0e7a4a.zip