[openwrt/openwrt] dropbear: disable login recording with musl libc

Sat Aug 23 09:57:52 PDT 2025

hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/e021b8a7461a6a8948f99e56935f29998210a536

commit e021b8a7461a6a8948f99e56935f29998210a536
Author: Konstantin Demin <rockdrilla at gmail.com>
AuthorDate: Wed Aug 20 09:55:47 2025 +0300

    dropbear: disable login recording with musl libc
    
    disallow lastlog/login()/utmp/wtmp with musl libc in order to avoid runtime errors due to musl implementation details.
    
    ref: https://github.com/openwrt/openwrt/issues/19566#issuecomment-3167897095
    
    Signed-off-by: Konstantin Demin <rockdrilla at gmail.com>
    Link: https://github.com/openwrt/openwrt/pull/19715
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/network/services/dropbear/Config.in | 157 +++++++++++++++-------------
 package/network/services/dropbear/Makefile  |   2 +-
 2 files changed, 83 insertions(+), 76 deletions(-)

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index e677ef5edc..796ccae86e 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -105,101 +105,108 @@ config DROPBEAR_SVR_PUBKEY_OPTIONS
 
 		Default: enabled.
 
-config DROPBEAR_LASTLOG
-	bool "Write lastlog"
-	help
-		/var/log/lastlog is a record of the last login of each user.
-		To view the last login, use "lastlog" command (OpenWrt package shadow-lastlog).
+## ---
+## Nowadays, utmp/wtmp is not supported by musl libc.
+## Ref: https://wiki.musl-libc.org/faq.html#Q:_Why_is_the_utmp/wtmp_functionality_only_implemented_as_stubs?
+
+## utmp-specific notes:
+## In musl, pututline() and related functions are all stubs, and login(), logout() and ttyslot() don't exist.
+## In Dropbear there is an option to write to utmp directly, but it uses ttyslot().
+## So, there is currently no way to make utmp work with musl.
+## Revisit this if/when Dropbear implements ttyslot() or an independent utmp direct write.
+## ---
+comment "* note: lastlog/login()/utmp/wtmp are unavailable with musl libc"
+	depends on USE_MUSL
 
-		If enabled, Drobear will update it with SSH logins.
-		If disabled, SSH logins will not be recorded.
+if !USE_MUSL
 
-		Warning: The lastlog record is considered a security and privacy risk by some.
+	config DROPBEAR_LASTLOG
+		bool "Write lastlog"
+		help
+			/var/log/lastlog is a record of the last login of each user.
+			To view the last login, use "lastlog" command (OpenWrt package shadow-lastlog).
 
-		Default: disabled.
+			If enabled, Drobear will update it with SSH logins.
+			If disabled, SSH logins will not be recorded.
 
-config DROPBEAR_LASTLOG_PATH
-	string "lastlog path:"
-	default "/var/log/lastlog"
-	depends on DROPBEAR_LASTLOG
-	help
-		Default: /var/log/lastlog
+			Warning: The lastlog record is considered a security and privacy risk by some.
 
-config DROPBEAR_WTMP
-	bool "Write wtmp"
-	help
-		/var/log/wtmp is a record of all previous logins.
-		The file needs to be manually created - Dropbear will update it only if it already exists.
-		To view login history, use "last" command, available in Busybox but not included by default.
+			Default: disabled.
 
-		If enabled, Dropbear will add SSH logins to the record.
-		If disabled, SSH logins will not be recorded.
+	config DROPBEAR_LASTLOG_PATH
+		string "lastlog path:"
+		default "/var/log/lastlog"
+		depends on DROPBEAR_LASTLOG
+		help
+			Default: /var/log/lastlog
 
-		Warning: The wtmp record is considered a security and privacy risk by some.
+	config DROPBEAR_LOGINFUNC
+		bool "Use login() and logout() functions"
+		help
+			If enabled, Dropbear will use login() and logout() functions to record logins in utmp and wtmp files.
 
-		Default: disabled.
+			If disabled, see DROPBEAR_UTMP and DROPBEAR_WTMP options.
 
-config DROPBEAR_WTMP_PATH
-	string "wtmp path:"
-	default "/var/log/wtmp"
-	depends on DROPBEAR_WTMP
-	help
-		Default: /var/log/wtmp
-
-# ---- MUSL UTMP ----
-# In musl, pututline() and related functions are all stubs, and login(), logout() and ttyslot() don't exist.
-# In Dropbear there is an option to write to utmp directly, but it uses ttyslot().
-# So, there is currently no way to make utmp work with musl.
-# Revisit this if/when Dropbear implements ttyslot() or an independent utmp direct write.
-comment "* note: utmp is unavailable with musl libc"
-	depends on USE_MUSL
+			Default: disabled.
 
-config DROPBEAR_UTMP
-	bool "Write utmp"
-	depends on !USE_MUSL
-	help
-		/var/run/utmp is a record of currently logged-in users.
-		To view logged-in users, use "w", "who" or "users" commands.
+	comment "* note: utmp/wtmp are handled by libc implementation rather than Dropbear"
+		depends on DROPBEAR_LOGINFUNC
 
-		If enabled, Dropbear will keep it updated with users that log in via SSH.
-		If disabled, SSH logins will not be recorded.
+	config DROPBEAR_WTMP
+		bool "Write wtmp"
+		depends on !DROPBEAR_LOGINFUNC
+		help
+			/var/log/wtmp is a record of all previous logins.
+			The file needs to be manually created - Dropbear will update it only if it already exists.
+			To view login history, use "last" command, available in Busybox but not included by default.
 
-		Warning: The utmp record is considered a security and privacy risk by some.
+			If enabled, Dropbear will add SSH logins to the record.
+			If disabled, SSH logins will not be recorded.
 
-		Default: disabled.
+			Warning: The wtmp record is considered a security and privacy risk by some.
 
-config DROPBEAR_UTMP_PATH
-	string "utmp path:"
-	default "/var/run/utmp"
-	depends on DROPBEAR_UTMP
-	help
-		Default: /var/run/utmp
+			Default: disabled.
 
-# musl pututline() and related functions are all stubs.
-config DROPBEAR_PUTUTLINE
-	bool "Use pututline() to write to utmp"
-	default y if !DROPBEAR_LOGINFUNC
-	depends on !USE_MUSL && !DROPBEAR_LOGINFUNC && DROPBEAR_UTMP
-	help
-		If enabled, Dropbear will use pututline() to write into the utmp file.
-		If disabled, Dropbear will write to utmp file directly.
+	config DROPBEAR_WTMP_PATH
+		string "wtmp path:"
+		default "/var/log/wtmp"
+		depends on DROPBEAR_WTMP
+		help
+			Default: /var/log/wtmp
 
-		Consider using login() and logout() functions via DROPBEAR_LOGINFUNC option if available.
+	config DROPBEAR_UTMP
+		bool "Write utmp"
+		depends on !DROPBEAR_LOGINFUNC
+		help
+			/var/run/utmp is a record of currently logged-in users.
+			To view logged-in users, use "w", "who" or "users" commands.
 
-		Default: enabled if DROPBEAR_UTMP is enabled.
+			If enabled, Dropbear will keep it updated with users that log in via SSH.
+			If disabled, SSH logins will not be recorded.
 
-# musl doesn't have login() and logout()
-config DROPBEAR_LOGINFUNC
-	bool "Use login() and logout() functions"
-	depends on !USE_MUSL
-	select DROPBEAR_UTMP
-	select DROPBEAR_WTMP
-	help
-		If enabled, Dropbear will use login() and logout() functions to record logins in utmp and wtmp files.
-		If disabled, see DROPBEAR_UTMP and DROPBEAR_WTMP options.
+			Warning: The utmp record is considered a security and privacy risk by some.
 
-		Default: disabled.
+			Default: disabled.
+
+	config DROPBEAR_UTMP_PATH
+		string "utmp path:"
+		default "/var/run/utmp"
+		depends on DROPBEAR_UTMP
+		help
+			Default: /var/run/utmp
+
+	config DROPBEAR_PUTUTLINE
+		bool "Use pututline() to write to utmp"
+		depends on DROPBEAR_UTMP
+		help
+			If enabled, Dropbear will use pututline() to write into the utmp file.
+			If disabled, Dropbear will write to utmp file directly.
+
+			PS: DROPBEAR_UTMP_PATH value is likely to be ignored if DROPBEAR_PUTUTLINE is enabled.
+
+			Default: disabled.
 
+endif
 ## </LOGIN OPTIONS>
 
 ## <FEATURES>
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 87b1a2459f..59aff2f7cf 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2025.88
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \


