dropbear authentication

Wed Aug 8 16:12:50 WST 2007

On Wed, Aug 08, 2007 at 09:53:12AM +0200, Giuseppe Cavallaro wrote:
> Just another question:
> 
> Is it possible to totally skip authentication phase with dropbear?
> I mean, using telnet or ssh (but configuring the latter) I'm able to login
> without entering password and login.
> In this case my root entry in passwd is root::0:0 ...

There's a hardcoded check in checkusername() that won't
allow an empty password crypt since that's a common
misconfiguration. If the user has an OK entry in /etc/passwd
though, you can make Dropbear skip auth fairly easily, see
the patch below.

Matt

--- svr-auth.c	dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
+++ svr-auth.c	70235853e723eb3b7557be219aace2406ed45bb1
@@ -124,15 +124,6 @@ void recv_msg_userauth_request() {
 		dropbear_exit("unknown service in auth");
 	}
 
-	/* user wants to know what methods are supported */
-	if (methodlen == AUTH_METHOD_NONE_LEN &&
-			strncmp(methodname, AUTH_METHOD_NONE,
-				AUTH_METHOD_NONE_LEN) == 0) {
-		TRACE(("recv_msg_userauth_request: 'none' request"))
-		send_msg_userauth_failure(0, 0);
-		goto out;
-	}
-	
 	/* check username is good before continuing */
 	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
 		/* username is invalid/no shell/etc - send failure */
@@ -141,45 +132,8 @@ void recv_msg_userauth_request() {
 		goto out;
 	}
 
-#ifdef ENABLE_SVR_PASSWORD_AUTH
-	if (!svr_opts.noauthpass &&
-			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
-		/* user wants to try password auth */
-		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-				strncmp(methodname, AUTH_METHOD_PASSWORD,
-					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_password();
-			goto out;
-		}
-	}
-#endif
+	send_msg_userauth_success();
 
-#ifdef ENABLE_SVR_PAM_AUTH
-	if (!svr_opts.noauthpass &&
-			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
-		/* user wants to try password auth */
-		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-				strncmp(methodname, AUTH_METHOD_PASSWORD,
-					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_pam();
-			goto out;
-		}
-	}
-#endif
-
-#ifdef ENABLE_SVR_PUBKEY_AUTH
-	/* user wants to try pubkey auth */
-	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
-			strncmp(methodname, AUTH_METHOD_PUBKEY,
-				AUTH_METHOD_PUBKEY_LEN) == 0) {
-		svr_auth_pubkey();
-		goto out;
-	}
-#endif
-
-	/* nothing matched, we just fail */
-	send_msg_userauth_failure(0, 1);
-
 out:
 
 	m_free(username);
