Dropbear patch suggestion
Rob Landley
rob at landley.net
Fri Apr 4 04:38:02 WST 2008
On Thursday 03 April 2008 10:38:25 sindi keesan wrote:
> If I apply your patch will it allow logins without password?
>
> I am being told
> user 'user' has blank password, rejected (ditto for root)
>
> My little linux came with no passwords (just hit Enter to log in as root)
> and I added them (probably with busybox passwd). It is a bare-bones
> distro and maybe dropbear is looking for some file which is not there.
>
> I have real passwords for root and user in /etc/passwd. I also have root
> and user listed in /etc/shadow. (I think our linux came without shadow
> but adduser added it).
If you have /etc/shadow, then dropbear will look for passwords out of there
rather than looking for them in /etc/passwd. (Why do you even have
an /etc/shadow file and then define the passwords in /etc/passwd? That's
kind of backwards... The point of /etc/shadow is to store passwords
somewhere that _isn't_ world readable. That's the entire reason the file
exists, to take passwords out of /etc/passwd and put them in to a file normal
users can't read, because modern laptops can break most hashed 6-8 char
password in a few hours if they have the hash to test against...)
Rob
--
"One of my most productive days was throwing away 1000 lines of code."
- Ken Thompson.
More information about the Dropbear
mailing list