Dropbear calling my own command-line parser than /bin/sh.

Prasad ndprasad at gmail.com
Wed Jul 19 09:53:18 WST 2006


Matt,
Changed as per your suggestion and it worked perfectly well. Thanx for that.

The only problem now i have is that the entire process is really slow
until i get the login. I takes about 90 secs for me to get the shell.
(With or with-out the changes for my own interpreter). After i get
login everything is pretty fast. The size of the SSH key is 1024 bit.
(512 bytes reduces the time by about 60 secs).

Doing a quick check, majoriy of the time taken was in mp_exptmod()
routine with each call takes around 25 secs. I am running my
processor(microblaze) at about 60mhz with hardware multipler, divider
enabled.

>From your knowledge, Is there any way to accelerate this in software
or the only way to increase this is by hardware-acceleration?

Thanx
- Prasad

On 7/17/06, Matt Johnston <matt at ucc.asn.au> wrote:
> On Mon, Jul 17, 2006 at 09:53:52PM -0700, Prasad wrote:
> > Hi matt,
> > Thanx for the response. I changed as u suggested and put dummy
> > password authentication and it worked.
> >
> > Now i have a question. Actually the commandline interpreter i call has
> > its own username and password authentication (which doesn't use
> > /etc/passwd). So now i want to totally skip the regular username and
> > password in the SSH and directly call my commandline interpreter
> > (which has a password autentication by itself). How do i achieve that?
> > Is there any security flaws in this kinda design.
>
> Something like the patch below should work for setting a
> hardcoded user and allowing authentication immediately.
>
> I think it should be secure, as long as you make sure that
> you're ignoring requests for different commands from the
> user (which will get passed as arguments to your
> interpreter), and your interpreter itself is secure.
>
> Matt
>
>
> #
> # old_revision [b59d9b3648d8fc72e8702a1013a1c6926d46ab2e]
> #
> # patch "svr-auth.c"
> #  from [dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3]
> #    to [2bf6cc2b096ba97f0614119414b9cd25a73fddfb]
> #
> ============================================================
> --- svr-auth.c  dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
> +++ svr-auth.c  2bf6cc2b096ba97f0614119414b9cd25a73fddfb
> @@ -108,7 +108,10 @@
>         }
>
>
> -       username = buf_getstring(ses.payload, &userlen);
> +       /* fake the username */
> +       username = m_strdup("matt");
> +       buf_eatstring(ses.payload);
> +
>         servicename = buf_getstring(ses.payload, &servicelen);
>         methodname = buf_getstring(ses.payload, &methodlen);
>
> @@ -134,52 +137,16 @@
>         }
>
>         /* check username is good before continuing */
> -       if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
> +       if (checkusername(username, strlen(username)) == DROPBEAR_FAILURE) {
>                 /* username is invalid/no shell/etc - send failure */
>                 TRACE(("sending checkusername failure"))
>                 send_msg_userauth_failure(0, 1);
>                 goto out;
>         }
>
> -#ifdef ENABLE_SVR_PASSWORD_AUTH
> -       if (!svr_opts.noauthpass &&
> -                       !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
> -               /* user wants to try password auth */
> -               if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
> -                               strncmp(methodname, AUTH_METHOD_PASSWORD,
> -                                       AUTH_METHOD_PASSWORD_LEN) == 0) {
> -                       svr_auth_password();
> -                       goto out;
> -               }
> -       }
> -#endif
> -
> -#ifdef ENABLE_SVR_PAM_AUTH
> -       if (!svr_opts.noauthpass &&
> -                       !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
> -               /* user wants to try password auth */
> -               if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
> -                               strncmp(methodname, AUTH_METHOD_PASSWORD,
> -                                       AUTH_METHOD_PASSWORD_LEN) == 0) {
> -                       svr_auth_pam();
> -                       goto out;
> -               }
> -       }
> -#endif
> -
> -#ifdef ENABLE_SVR_PUBKEY_AUTH
> -       /* user wants to try pubkey auth */
> -       if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
> -                       strncmp(methodname, AUTH_METHOD_PUBKEY,
> -                               AUTH_METHOD_PUBKEY_LEN) == 0) {
> -               svr_auth_pubkey();
> -               goto out;
> -       }
> -#endif
> -
> -       /* nothing matched, we just fail */
> -       send_msg_userauth_failure(0, 1);
> -
> +       /* allow login */
> +       dropbear_log(LOG_NOTICE, "fake auth succeeded from %s", svr_ses.addrstring);
> +       send_msg_userauth_success();
>  out:
>
>         m_free(username);
>
>



More information about the Dropbear mailing list