dropbear still requires password when password is blank
Matt Johnston
matt at ucc.asn.au
Fri Apr 27 00:32:42 WST 2012
Hi,
> When I ssh to the openssh server using an account with an empty
> password, I see that that the auth method "none" succeeds. When I ssh
> to the dropbear server, it ends up using auth method "password" with
> an empty password. Can somebody lend me a clue as to what I need to
> do to make dropbear act like openssh/telnetd/login in the case where
> a user's password is empty?
The way SSH auth works is that whenever the client sends an
auth request the server responds with either "success" or
failure with a list of valid auth methods. So the normal way
is that a client requests "none" auth, the server fails with
a list of methods that can be used, then the client tries
"password" etc.
I assume what OpenSSH is doing is looking whether the user
has a blank password at the first "none" request, and
sending "success" straight away. That seems sensible enough
to me, Dropbear should probably do the same so it can be
like rshd :)
Have a look at svr-auth.c , search for AUTH_METHOD_NONE. I
think the checkusername() test needs to move before the
'none' test (that populates ses.authstate.pw_passwd among
other things). Then the "none" test can apply the same logic
for ALLOW_BLANK_PASSWORD as svr_auth_password().
That's a 2 minute look at how Dropbear could be modified,
there might be some caveats I haven't noticed. Patches
accepted or I might try get it done for the next release.
Cheers,
Matt
More information about the Dropbear
mailing list