Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sys/shell: new module shell_lock #13082

Merged
merged 6 commits into from
Jun 9, 2022

Conversation

HendrikVE
Copy link
Contributor

Contribution description

This PR adds a locking mechanism to the shell, implemented by the new shell_lock module. It's not meant as a super secure system protection, it should rather be thought of as a small simple protection for demo environment purposes. For example, I recently raised a PR (#12012) for stdio over Blueooth. I might want to show a demo and control my project via bluetooth and I don't want other people to be able to connect to my device and use the shell. Using this new module you have to type in a password first. The mentioned bluetooth service only allows a single connection per device, that is an assumption that needs to be maintained, because there is only a single shell instance per device. A second user would get access to the previous unlocked shell by another user otherwise. Furthermore it's not the responsibility of this module to provide a secure channel. This needs to be done by the used communication channel, e.g. nimble in the mentioned case.
All of this doesn't mean it couldn't extended to be more secure for other purposes though.

The module shell_lock_auto_locking extends the lock mechanism by auto locking the "session" after a given timeout, which might be also interesting. Otherwise the user has to lock the shell manually by calling the added lock-command within the shell.

Testing procedure

Simply run the default application on a board. A test configuration is set in the Makefile.

@aabadie aabadie added the Area: sys Area: System label Jan 16, 2020
@HendrikVE HendrikVE force-pushed the password_protected_shell branch 4 times, most recently from e1f92a6 to c54ebe7 Compare January 20, 2020 15:34
@HendrikVE HendrikVE added the Type: new feature The issue requests / The PR implemements a new feature for RIOT label Feb 7, 2020
@HendrikVE HendrikVE added the State: waiting for other PR State: The PR requires another PR to be merged first label Mar 5, 2020
@fjmolinas
Copy link
Contributor

What PR is this waiting for @HendrikVE ?

@HendrikVE
Copy link
Contributor Author

Basically, it is/was waiting for the shell refactoring PRs. Its primary use case is given once #12012 is merged. Technically I could probably do a rebase by now. I will try to do that on the weekend, but I'm not sure about merging this before the use case from #12012 is given?

@HendrikVE HendrikVE force-pushed the password_protected_shell branch 2 times, most recently from 97b06af to d8f18ed Compare June 20, 2020 21:32
@HendrikVE HendrikVE removed the State: waiting for other PR State: The PR requires another PR to be merged first label Jun 20, 2020
@HendrikVE
Copy link
Contributor Author

Rebased and squashed! No dependency on any other PR left.

@HendrikVE HendrikVE added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Jun 20, 2020
@HendrikVE HendrikVE force-pushed the password_protected_shell branch 3 times, most recently from b59518e to b8145b9 Compare June 24, 2020 12:58
@fjmolinas fjmolinas removed the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Jun 24, 2020
@miri64
Copy link
Member

miri64 commented Jun 25, 2020

How is this related to #6893 and #12191?

@miri64
Copy link
Member

miri64 commented Jun 25, 2020

(or asking differently can #12191 be closed as this PR supersedes this one?)

@HendrikVE
Copy link
Contributor Author

#6893 is a whole security layer with different user permissions, so it's quite different from what I did.

This PR is basically the idea of #12191, but without any crypto. I guess it can be closed. If we want crypto some day, we could add it to this module.

@HendrikVE HendrikVE force-pushed the password_protected_shell branch from b8145b9 to 2748881 Compare June 26, 2020 13:12
@HendrikVE HendrikVE force-pushed the password_protected_shell branch from 2748881 to 9472fd4 Compare July 7, 2020 17:39
@HendrikVE HendrikVE added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Jul 7, 2020
@HendrikVE HendrikVE force-pushed the password_protected_shell branch 3 times, most recently from 2819803 to c52a1e6 Compare July 7, 2020 20:47
@HendrikVE HendrikVE force-pushed the password_protected_shell branch 2 times, most recently from 09348de to 21f9464 Compare November 6, 2020 18:15
@HendrikVE HendrikVE force-pushed the password_protected_shell branch 2 times, most recently from ea93dfc to 7efd27a Compare March 13, 2022 22:57
@benpicco
Copy link
Contributor

benpicco commented Jun 1, 2022

Needs a rebase, but I think this can still be useful.

@HendrikVE HendrikVE force-pushed the password_protected_shell branch from 7efd27a to fddb08e Compare June 3, 2022 16:57
@HendrikVE
Copy link
Contributor Author

Rebased to master and cleaned the PR a little. The module now uses the SHELL_COMMAND macro to put its command into shell_commands_xfa.

@github-actions github-actions bot added Area: examples Area: Example Applications Area: network Area: Networking labels Jun 5, 2022
Copy link
Contributor

@benpicco benpicco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added some commits to fix locking with the telnet server.
While this is certainly not secure, it is a cleaner workaround to the GNRC TCP issue (not generating -ECONNABORTED) than #17897.

sys/shell/shell.c Outdated Show resolved Hide resolved
extern void shell_lock_checkpoint(char *line_buf, int len);
extern bool shell_lock_is_locked(void);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are doing that you might as well

Suggested change
extern void shell_lock_checkpoint(char *line_buf, int len);
extern bool shell_lock_is_locked(void);
#if IS_USED(MODULE_SHELL_LOCK)
extern void shell_lock_checkpoint(char *line_buf, int len);
extern bool shell_lock_is_locked(void);
#else
static inline void shell_lock_checkpoint(char *line_buf, int len)
{
(void)line_buf;
(void)len;
}
static inline bool shell_lock_is_locked(void)
{
return false;
}
#endif

and avoid cluttering the code further down with if (IS_USED(…)) blocks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mh I don't see the benefit of doing this. At the moment it is in line with MODULE_SHELL_HOOKS and MODULE_SHELL_COMMANDS. Since these are just forward declarations we don't need empty definitions in case the module is not used at all.

sys/shell_lock/shell_lock.c Outdated Show resolved Hide resolved
@HendrikVE HendrikVE force-pushed the password_protected_shell branch from 9eef476 to 4470b68 Compare June 7, 2022 13:27
@benpicco benpicco added CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR and removed CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR labels Jun 8, 2022
@maribu maribu removed the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Jun 8, 2022
@maribu
Copy link
Member

maribu commented Jun 8, 2022

This needs a rebase now, sorry.

HendrikVE and others added 6 commits June 8, 2022 12:53
Module to lock the running shell with a password. Shell is proceeded only
when the valid password was entered by the user. After 3 failed attempts,
the input is blocked for a few seconds to slow down brute force attacks.
Does not make use of any cryptographic features yet.
Module to lock the shell after a given timeout of time x. When the
shell did not receive any input within time x, then the shell is
locked automatically.
@HendrikVE HendrikVE force-pushed the password_protected_shell branch from 4470b68 to 80b7b79 Compare June 8, 2022 11:02
@HendrikVE HendrikVE added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Jun 8, 2022
@benpicco benpicco merged commit 8e1f908 into RIOT-OS:master Jun 9, 2022
@HendrikVE
Copy link
Contributor Author

Thanks for the review!

@HendrikVE HendrikVE deleted the password_protected_shell branch June 9, 2022 13:13
@chrysn chrysn added this to the Release 2022.07 milestone Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: build system Area: Build system Area: examples Area: Example Applications Area: network Area: Networking Area: sys Area: System Area: tests Area: tests and testing framework CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Type: new feature The issue requests / The PR implemements a new feature for RIOT
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants