Dropbear patch suggestion

Thu Apr 3 23:38:25 WST 2008

If I apply your patch will it allow logins without password?

I am being told
user 'user' has blank password, rejected  (ditto for root)

My little linux came with no passwords (just hit Enter to log in as root) 
and I added them (probably with busybox passwd).  It is a bare-bones 
distro and maybe dropbear is looking for some file which is not there.

I have real passwords for root and user in /etc/passwd. I also have root 
and user listed in /etc/shadow.  (I think our linux came without shadow 
but adduser added it).

What file is dropbear checking to determine if password is blank?
Perhaps my linux needs something changed to work with dropbear (or vice 
versa).

I don't understand waht ses.authstate.pw is or does or how to program.

Sindi

On Thu, 3 Apr 2008, Jeff Tope wrote:

> Hi,
>
> I found an issue when you only want to use an ssh key on a system with only root and no root password.  I have pasted a diff of my suggested changes for you to review below.
>
> Basically, if you are not using passwords, it removes the checks for empty password.
>
> There may be a better way of doing this as I am new to dropbear.
>
> Regards
>
> Jeff
>
> diff -Nru dropbear-0.51.orig/options.h dropbear-0.51/options.h
> --- dropbear-0.51.orig/options.h        2008-03-27 13:34:39.000000000 +0000
> +++ dropbear-0.51/options.h     2008-03-28 10:21:06.000000000 +0000
> @@ -132,7 +132,7 @@
>  * but there's an interface via a PAM module - don't bother using it otherwise.
>  * You can't enable both PASSWORD and PAM. */
>
> -#define ENABLE_SVR_PASSWORD_AUTH
> +/*#define ENABLE_SVR_PASSWORD_AUTH */
> /*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
> #define ENABLE_SVR_PUBKEY_AUTH
>
> diff -Nru dropbear-0.51.orig/svr-auth.c dropbear-0.51/svr-auth.c
> --- dropbear-0.51.orig/svr-auth.c       2008-03-27 13:17:16.000000000 +0000
> +++ dropbear-0.51/svr-auth.c    2008-03-28 10:21:09.000000000 +0000
> @@ -271,14 +271,18 @@
>                return DROPBEAR_FAILURE;
>        }
>
> -       /* check for an empty password */
> -       if (ses.authstate.pw_passwd[0] == '\0') {
> +#ifdef ENABLE_SVR_PASSWORD_AUTH
> +/* only care if using passwords! */
> +/* check for an empty password */
> +       if (!svr_opts.noauthpass &&
> +               ses.authstate.pw->pw_passwd[0] == '\0') {
>                TRACE(("leave checkusername: empty pword"))
>                dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
>                                ses.authstate.pw_name);
>                send_msg_userauth_failure(0, 1);
>                return DROPBEAR_FAILURE;
>        }
> +#endif
>
>        TRACE(("shell is %s", ses.authstate.pw_shell))
>
> diff -Nru dropbear-0.51.orig/svr-runopts.c dropbear-0.51/svr-runopts.c
> --- dropbear-0.51.orig/svr-runopts.c    2008-03-27 13:17:16.000000000 +0000
> +++ dropbear-0.51/svr-runopts.c 2008-03-28 10:29:24.000000000 +0000
> @@ -111,8 +111,13 @@
>        svr_opts.banner = NULL;
>        svr_opts.forkbg = 1;
>        svr_opts.norootlogin = 0;
> +#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
>        svr_opts.noauthpass = 0;
>        svr_opts.norootpass = 0;
> +#else
> +       svr_opts.noauthpass = 1;
> +       svr_opts.norootpass = 1;
> +#endif
>        svr_opts.inetdmode = 0;
>        svr_opts.portcount = 0;
>        svr_opts.hostkey = NULL;
>
>

keesan at sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org