RFC: PATCH: Allow configuring "allow blank password option" at runtime
Matt Johnston
matt at ucc.asn.au
Fri Feb 22 23:56:30 WST 2013
Hi Paul,
Thanks for that, I've committed it for the next release.
Cheers,
Matt
On Wed, Feb 20, 2013 at 04:51:14PM +0000, Paul Eggleton wrote:
> Hi there,
>
> Attached is a patch we've developed for dropbear within the Yocto Project to
> avoid the need to rebuild dropbear when we wish to disable the ability to log
> into accounts that have a blank password set. It removes the compile-time
> option and adds a -B command-line option which enables the functionality.
>
> We'd really like to see this (or something like it) upstream. If an
> alternative implementation would be preferred please let me know.
>
> Cheers,
> Paul
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
> # HG changeset patch
> # User Paul Eggleton <paul.eggleton at linux.intel.com>
> # Date 1360684377 0
> # Node ID 92aea57140965ca60e40f99d485c14f0425afd90
> # Parent 63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6
> Allow configuring "allow blank password option" at runtime
>
> Changes this from a compile-time switch to a command-line option.
>
> Signed-off-by: Paul Eggleton <paul.eggleton at linux.intel.com>
>
> diff -r 63f8d6c469cf -r 92aea5714096 options.h
> --- a/options.h Thu May 17 00:26:12 2012 +0800
> +++ b/options.h Tue Feb 12 15:52:57 2013 +0000
> @@ -180,11 +180,6 @@
> #define ENABLE_SVR_PUBKEY_OPTIONS
> #endif
>
> -/* Define this to allow logging in to accounts that have no password specified.
> - * Public key logins are allowed for blank-password accounts regardless of this
> - * setting. */
> -/* #define ALLOW_BLANK_PASSWORD */
> -
> #define ENABLE_CLI_PASSWORD_AUTH
> #define ENABLE_CLI_PUBKEY_AUTH
> #define ENABLE_CLI_INTERACT_AUTH
> diff -r 63f8d6c469cf -r 92aea5714096 runopts.h
> --- a/runopts.h Thu May 17 00:26:12 2012 +0800
> +++ b/runopts.h Tue Feb 12 15:52:57 2013 +0000
> @@ -89,6 +89,7 @@
>
> int noauthpass;
> int norootpass;
> + int allowblankpass;
>
> #ifdef ENABLE_SVR_REMOTETCPFWD
> int noremotetcp;
> diff -r 63f8d6c469cf -r 92aea5714096 svr-auth.c
> --- a/svr-auth.c Thu May 17 00:26:12 2012 +0800
> +++ b/svr-auth.c Tue Feb 12 15:52:57 2013 +0000
> @@ -154,8 +154,8 @@
> strncmp(methodname, AUTH_METHOD_NONE,
> AUTH_METHOD_NONE_LEN) == 0) {
> TRACE(("recv_msg_userauth_request: 'none' request"))
> -#ifdef ALLOW_BLANK_PASSWORD
> - if (!svr_opts.noauthpass
> + if (svr_opts.allowblankpass
> + && !svr_opts.noauthpass
> && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
> && ses.authstate.pw_passwd[0] == '\0')
> {
> @@ -167,7 +167,6 @@
> goto out;
> }
> else
> -#endif
> {
> send_msg_userauth_failure(0, 0);
> goto out;
> diff -r 63f8d6c469cf -r 92aea5714096 svr-authpasswd.c
> --- a/svr-authpasswd.c Thu May 17 00:26:12 2012 +0800
> +++ b/svr-authpasswd.c Tue Feb 12 15:52:57 2013 +0000
> @@ -29,6 +29,7 @@
> #include "buffer.h"
> #include "dbutil.h"
> #include "auth.h"
> +#include "runopts.h"
>
> #ifdef ENABLE_SVR_PASSWORD_AUTH
>
> diff -r 63f8d6c469cf -r 92aea5714096 svr-runopts.c
> --- a/svr-runopts.c Thu May 17 00:26:12 2012 +0800
> +++ b/svr-runopts.c Tue Feb 12 15:52:57 2013 +0000
> @@ -63,6 +63,7 @@
> #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
> "-s Disable password logins\n"
> "-g Disable password logins for root\n"
> + "-B Allow blank password logins\n"
> #endif
> #ifdef ENABLE_SVR_LOCALTCPFWD
> "-j Disable local port forwarding\n"
> @@ -115,6 +116,7 @@
> svr_opts.norootlogin = 0;
> svr_opts.noauthpass = 0;
> svr_opts.norootpass = 0;
> + svr_opts.allowblankpass = 0;
> svr_opts.inetdmode = 0;
> svr_opts.portcount = 0;
> svr_opts.hostkey = NULL;
> @@ -234,6 +236,9 @@
> case 'g':
> svr_opts.norootpass = 1;
> break;
> + case 'B':
> + svr_opts.allowblankpass = 1;
> + break;
> #endif
> case 'h':
> printhelp(argv[0]);
More information about the Dropbear
mailing list