dropbear still requires password when password is blank
Grant Edwards
grant.b.edwards at gmail.com
Fri Apr 27 01:02:50 WST 2012
On 2012-04-26, Matt Johnston <matt at ucc.asn.au> wrote:
> I assume what OpenSSH is doing is looking whether the user has a
> blank password at the first "none" request, and sending "success"
> straight away.
Ah, I had assumed that the process started out with the server sending
a list of acceptable auth methods, and I couldn't find that anywhere.
But, I gather than the client just starts sending various auth
requests in whatever order it wants until it finds a winner.
> That seems sensible enough to me, Dropbear should probably do the
> same so it can be like rshd :)
I had forgotten about rsh/rlogin...
> Have a look at svr-auth.c , search for AUTH_METHOD_NONE. I think the
> checkusername() test needs to move before the 'none' test (that
> populates ses.authstate.pw_passwd among other things). Then the
> "none" test can apply the same logic for ALLOW_BLANK_PASSWORD as
> svr_auth_password().
I'll take a look and see what I can come up with.
> That's a 2 minute look at how Dropbear could be modified, there might
> be some caveats I haven't noticed. Patches accepted or I might try
> get it done for the next release.
It might seem that hitting "enter" at the password prompt isn't a big
deal, and for interactive use, that's true. The embedded system is
set up with a blank password mainly during development and testing
because it's a handy way to do automate testing using shell scripts
running on the development host. The password prompt breaks that.
--
Grant Edwards grant.b.edwards Yow! I would like to
at urinate in an OVULAR,
gmail.com porcelain pool --
More information about the Dropbear
mailing list