Dropbear patch suggestion

sindi keesan keesan at sdf.lonestar.org
Fri Apr 4 23:56:25 WST 2008 

On Fri, 4 Apr 2008, Rob Landley wrote:

> On Thursday 03 April 2008 21:32:05 sindi keesan wrote:
>> On Thu, 3 Apr 2008, Rob Landley wrote:
>>> On Thursday 03 April 2008 16:13:43 sindi keesan wrote:
>>>> I don't know where shadow came from or why it appears not to work.
>>
>> It came from the original setup, where root and user had blank passwords.
>> Apparently the busybox passwd changed the passwords in passwd but not in
>> shadow, and dropbear looked at shadow but not at passwd to decide that my
>> passwords were blank.  When I boot and log in passwd seems to be
>> consulted, not shadow.  Maybe someone would like to patch dropbear to look
>> at BOTH files (passwd as well as shadow) before decided there are blank
>> passwords?
>
> It's more that the spec says that _if_ there is a shadow file, the password
> should live there.  They only live in /etc/passwd on systems that haven't got
> shadow password support.

When I log in, why does my system consult passwd and not shadow?

> So your system was in a weird state.  Not really dropbear's bug.
Our system is definitely wierd.  I seem to have made it worse.

>> I found dropbear at the uclibc site, which I was at because I was
>> compiling busybox, so if it is the busybox passwd (or adduser) that is
>> leaving shadow unchanged while changing passwd, someone else might end up
>> with the same problem as I have.
>
> Busybox has a CONFIG entry for shadow password support or not.  If it's
> creating a shadow file when shadow password support is disabled, that's a
> bug.  (Last time I was involved in busybox was the 1.2.2 release...)

I compiled my own busybox and did not understand most of the questions.
Apparently it edited the passwd file without removing shadow.  I don't 
know why we even had a shadow file when we had no passwords - it came on 
the 2-floppy download of our linux.

I told people on our list to delete shadow if they were having problems 
with dropbear.

> If you're using a version of busybox that's configured not to support shadow
> passwords on a system that's configured to use shadow passwords, that's a
> problem.

I have compiled 1.1.0 and 1.3.2 of busybox.  I compiled without shadow 
support.  Some day I can redo this.


>>>> I think I ran the busybox passwd (or adduser?) to assign passwords.
>>>>
>>>> In another version of this distro, I used a package provided by the
>>>> distro to create a user and assign passwords to user and root, and there
>>>> is no 'shadow' file there, and dropbear works 'out of the box' (once I
>>>> make the rsa key).
>>>
>>> You used two different passwd programs, one of which supported shadow
>>> passwords and one that didn't.  You wound up with /etc in a fairly insane
>>> state.
>>
>> The shadow file was there before I added passwords.  I used one program
>> per distro.  Manually removing shadow fixed my problem.
>>
>> My setup worked until now.  (I am often surprised when things work).

> If you were only using the busybox utilities, they sound like they were
> configured to ignore /etc/shadow.

Yes.  At least busybox is consistent even if I was not.

>>>> This distro is not intended to be highly secure.  It is for older
>>>> hardware and to learn on.
>>>
>>> It doesn't have to be secure it just has to be consistent.
>>
>> I will mention to others on the list that they need to remove shadow if
>> they add passwords to BL 2.
>
> Or they could fix their busybox .config...

They are probably not using my busybox, which I compiled myself, but some 
user adding program from Slackware.  The later version of our linux does 
not come with shadow.

>>> Linux security is a whole big issue of its own, worth of at least a
>>> semester long undergraduate course.
>>
>> Probably with some prerequisites.  This is my first and only linux.
>
> Have you read Linux From Scratch yet?

I have heard of it.  The security site will take me a while to get 
through.

> http://www.linuxfromscratch.org/lfs/view/stable/
>
> Then you can read the sequels:
>
> http://www.linuxfromscratch.org/
>
> Rob
> -- 
> "One of my most productive days was throwing away 1000 lines of code."
>  - Ken Thompson.
>

keesan at sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

More information about the Dropbear mailing list