Dropbear patch suggestion

Rob Landley rob at landley.net
Fri Apr 4 22:53:47 WST 2008


On Thursday 03 April 2008 21:32:05 sindi keesan wrote:
> On Thu, 3 Apr 2008, Rob Landley wrote:
> > On Thursday 03 April 2008 16:13:43 sindi keesan wrote:
> >> I don't know where shadow came from or why it appears not to work.
>
> It came from the original setup, where root and user had blank passwords.
> Apparently the busybox passwd changed the passwords in passwd but not in
> shadow, and dropbear looked at shadow but not at passwd to decide that my
> passwords were blank.  When I boot and log in passwd seems to be
> consulted, not shadow.  Maybe someone would like to patch dropbear to look
> at BOTH files (passwd as well as shadow) before decided there are blank
> passwords?

It's more that the spec says that _if_ there is a shadow file, the password 
should live there.  They only live in /etc/passwd on systems that haven't got 
shadow password support.

So your system was in a weird state.  Not really dropbear's bug.

> I found dropbear at the uclibc site, which I was at because I was
> compiling busybox, so if it is the busybox passwd (or adduser) that is
> leaving shadow unchanged while changing passwd, someone else might end up
> with the same problem as I have.

Busybox has a CONFIG entry for shadow password support or not.  If it's 
creating a shadow file when shadow password support is disabled, that's a 
bug.  (Last time I was involved in busybox was the 1.2.2 release...)

If you're using a version of busybox that's configured not to support shadow 
passwords on a system that's configured to use shadow passwords, that's a 
problem.

> >> I think I ran the busybox passwd (or adduser?) to assign passwords.
> >>
> >> In another version of this distro, I used a package provided by the
> >> distro to create a user and assign passwords to user and root, and there
> >> is no 'shadow' file there, and dropbear works 'out of the box' (once I
> >> make the rsa key).
> >
> > You used two different passwd programs, one of which supported shadow
> > passwords and one that didn't.  You wound up with /etc in a fairly insane
> > state.
>
> The shadow file was there before I added passwords.  I used one program
> per distro.  Manually removing shadow fixed my problem.
>
> My setup worked until now.  (I am often surprised when things work).

If you were only using the busybox utilities, they sound like they were 
configured to ignore /etc/shadow.

> >> This distro is not intended to be highly secure.  It is for older
> >> hardware and to learn on.
> >
> > It doesn't have to be secure it just has to be consistent.
>
> I will mention to others on the list that they need to remove shadow if
> they add passwords to BL 2.

Or they could fix their busybox .config...

> > Linux security is a whole big issue of its own, worth of at least a
> > semester long undergraduate course.
>
> Probably with some prerequisites.  This is my first and only linux.

Have you read Linux From Scratch yet?

http://www.linuxfromscratch.org/lfs/view/stable/

Then you can read the sequels:

http://www.linuxfromscratch.org/

Rob
-- 
"One of my most productive days was throwing away 1000 lines of code."
  - Ken Thompson.



More information about the Dropbear mailing list