Dropbear calling my own command-line parser than /bin/sh.

Tue Jul 18 14:00:49 WST 2006

On Mon, Jul 17, 2006 at 09:53:52PM -0700, Prasad wrote:
> Hi matt,
> Thanx for the response. I changed as u suggested and put dummy
> password authentication and it worked.
> 
> Now i have a question. Actually the commandline interpreter i call has
> its own username and password authentication (which doesn't use
> /etc/passwd). So now i want to totally skip the regular username and
> password in the SSH and directly call my commandline interpreter
> (which has a password autentication by itself). How do i achieve that?
> Is there any security flaws in this kinda design.

Something like the patch below should work for setting a
hardcoded user and allowing authentication immediately.

I think it should be secure, as long as you make sure that
you're ignoring requests for different commands from the
user (which will get passed as arguments to your
interpreter), and your interpreter itself is secure.

Matt


# 
# old_revision [b59d9b3648d8fc72e8702a1013a1c6926d46ab2e]
# 
# patch "svr-auth.c"
#  from [dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3]
#    to [2bf6cc2b096ba97f0614119414b9cd25a73fddfb]
# 
============================================================

--- svr-auth.c	dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
+++ svr-auth.c	2bf6cc2b096ba97f0614119414b9cd25a73fddfb
@@ -108,7 +108,10 @@
 	}
 
 	
-	username = buf_getstring(ses.payload, &userlen);
+	/* fake the username */
+	username = m_strdup("matt");
+	buf_eatstring(ses.payload);
+
 	servicename = buf_getstring(ses.payload, &servicelen);
 	methodname = buf_getstring(ses.payload, &methodlen);
 
@@ -134,52 +137,16 @@
 	}
 	
 	/* check username is good before continuing */
-	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
+	if (checkusername(username, strlen(username)) == DROPBEAR_FAILURE) {
 		/* username is invalid/no shell/etc - send failure */
 		TRACE(("sending checkusername failure"))
 		send_msg_userauth_failure(0, 1);
 		goto out;
 	}
 
-#ifdef ENABLE_SVR_PASSWORD_AUTH
-	if (!svr_opts.noauthpass &&
-			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
-		/* user wants to try password auth */
-		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-				strncmp(methodname, AUTH_METHOD_PASSWORD,
-					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_password();
-			goto out;
-		}
-	}
-#endif
-
-#ifdef ENABLE_SVR_PAM_AUTH
-	if (!svr_opts.noauthpass &&
-			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
-		/* user wants to try password auth */
-		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-				strncmp(methodname, AUTH_METHOD_PASSWORD,
-					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_pam();
-			goto out;
-		}
-	}
-#endif
-
-#ifdef ENABLE_SVR_PUBKEY_AUTH
-	/* user wants to try pubkey auth */
-	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
-			strncmp(methodname, AUTH_METHOD_PUBKEY,
-				AUTH_METHOD_PUBKEY_LEN) == 0) {
-		svr_auth_pubkey();
-		goto out;
-	}
-#endif
-
-	/* nothing matched, we just fail */
-	send_msg_userauth_failure(0, 1);
-
+	/* allow login */
+	dropbear_log(LOG_NOTICE, "fake auth succeeded from %s", svr_ses.addrstring);
+	send_msg_userauth_success();
 out:
 
 	m_free(username);
