RFC: PATCH: Allow configuring "allow blank password option" at runtime

Matt Johnston matt at ucc.asn.au
Fri Feb 22 23:56:30 WST 2013


Hi Paul,

Thanks for that, I've committed it for the next release.

Cheers,
Matt

On Wed, Feb 20, 2013 at 04:51:14PM +0000, Paul Eggleton wrote:
> Hi there,
> 
> Attached is a patch we've developed for dropbear within the Yocto Project to 
> avoid the need to rebuild dropbear when we wish to disable the ability to log 
> into accounts that have a blank password set. It removes the compile-time 
> option and adds a -B command-line option which enables the functionality.
> 
> We'd really like to see this (or something like it) upstream. If an 
> alternative implementation would be preferred please let me know.
> 
> Cheers,
> Paul
> 
> -- 
> 
> Paul Eggleton
> Intel Open Source Technology Centre	

> # HG changeset patch
> # User Paul Eggleton <paul.eggleton at linux.intel.com>
> # Date 1360684377 0
> # Node ID 92aea57140965ca60e40f99d485c14f0425afd90
> # Parent  63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6
> Allow configuring "allow blank password option" at runtime
> 
> Changes this from a compile-time switch to a command-line option.
> 
> Signed-off-by: Paul Eggleton <paul.eggleton at linux.intel.com>
> 
> diff -r 63f8d6c469cf -r 92aea5714096 options.h
> --- a/options.h	Thu May 17 00:26:12 2012 +0800
> +++ b/options.h	Tue Feb 12 15:52:57 2013 +0000
> @@ -180,11 +180,6 @@
>  #define ENABLE_SVR_PUBKEY_OPTIONS
>  #endif
>  
> -/* Define this to allow logging in to accounts that have no password specified.
> - * Public key logins are allowed for blank-password accounts regardless of this
> - * setting. */
> -/* #define ALLOW_BLANK_PASSWORD */
> -
>  #define ENABLE_CLI_PASSWORD_AUTH
>  #define ENABLE_CLI_PUBKEY_AUTH
>  #define ENABLE_CLI_INTERACT_AUTH
> diff -r 63f8d6c469cf -r 92aea5714096 runopts.h
> --- a/runopts.h	Thu May 17 00:26:12 2012 +0800
> +++ b/runopts.h	Tue Feb 12 15:52:57 2013 +0000
> @@ -89,6 +89,7 @@
>  
>  	int noauthpass;
>  	int norootpass;
> +	int allowblankpass;
>  
>  #ifdef ENABLE_SVR_REMOTETCPFWD
>  	int noremotetcp;
> diff -r 63f8d6c469cf -r 92aea5714096 svr-auth.c
> --- a/svr-auth.c	Thu May 17 00:26:12 2012 +0800
> +++ b/svr-auth.c	Tue Feb 12 15:52:57 2013 +0000
> @@ -154,8 +154,8 @@
>  			strncmp(methodname, AUTH_METHOD_NONE,
>  				AUTH_METHOD_NONE_LEN) == 0) {
>  		TRACE(("recv_msg_userauth_request: 'none' request"))
> -#ifdef ALLOW_BLANK_PASSWORD
> -		if (!svr_opts.noauthpass 
> +		if (svr_opts.allowblankpass
> +				&& !svr_opts.noauthpass
>  				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
>  				&& ses.authstate.pw_passwd[0] == '\0') 
>  		{
> @@ -167,7 +167,6 @@
>  			goto out;
>  		}
>  		else
> -#endif
>  		{
>  			send_msg_userauth_failure(0, 0);
>  			goto out;
> diff -r 63f8d6c469cf -r 92aea5714096 svr-authpasswd.c
> --- a/svr-authpasswd.c	Thu May 17 00:26:12 2012 +0800
> +++ b/svr-authpasswd.c	Tue Feb 12 15:52:57 2013 +0000
> @@ -29,6 +29,7 @@
>  #include "buffer.h"
>  #include "dbutil.h"
>  #include "auth.h"
> +#include "runopts.h"
>  
>  #ifdef ENABLE_SVR_PASSWORD_AUTH
>  
> diff -r 63f8d6c469cf -r 92aea5714096 svr-runopts.c
> --- a/svr-runopts.c	Thu May 17 00:26:12 2012 +0800
> +++ b/svr-runopts.c	Tue Feb 12 15:52:57 2013 +0000
> @@ -63,6 +63,7 @@
>  #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
>  					"-s		Disable password logins\n"
>  					"-g		Disable password logins for root\n"
> +					"-B		Allow blank password logins\n"
>  #endif
>  #ifdef ENABLE_SVR_LOCALTCPFWD
>  					"-j		Disable local port forwarding\n"
> @@ -115,6 +116,7 @@
>  	svr_opts.norootlogin = 0;
>  	svr_opts.noauthpass = 0;
>  	svr_opts.norootpass = 0;
> +	svr_opts.allowblankpass = 0;
>  	svr_opts.inetdmode = 0;
>  	svr_opts.portcount = 0;
>  	svr_opts.hostkey = NULL;
> @@ -234,6 +236,9 @@
>  				case 'g':
>  					svr_opts.norootpass = 1;
>  					break;
> +				case 'B':
> +					svr_opts.allowblankpass = 1;
> +					break;
>  #endif
>  				case 'h':
>  					printhelp(argv[0]);



More information about the Dropbear mailing list