Dropbear patch suggestion

Rob Landley rob at landley.net
Fri Apr 4 04:38:02 WST 2008


On Thursday 03 April 2008 10:38:25 sindi keesan wrote:
> If I apply your patch will it allow logins without password?
>
> I am being told
> user 'user' has blank password, rejected  (ditto for root)
>
> My little linux came with no passwords (just hit Enter to log in as root)
> and I added them (probably with busybox passwd).  It is a bare-bones
> distro and maybe dropbear is looking for some file which is not there.
>
> I have real passwords for root and user in /etc/passwd. I also have root
> and user listed in /etc/shadow.  (I think our linux came without shadow
> but adduser added it).

If you have /etc/shadow, then dropbear will look for passwords out of there 
rather than looking for them in /etc/passwd.  (Why do you even have 
an /etc/shadow file and then define the passwords in /etc/passwd?  That's 
kind of backwards...  The point of /etc/shadow is to store passwords 
somewhere that _isn't_ world readable.  That's the entire reason the file 
exists, to take passwords out of /etc/passwd and put them in to a file normal 
users can't read, because modern laptops can break most hashed 6-8 char 
password in a few hours if they have the hash to test against...)

Rob
-- 
"One of my most productive days was throwing away 1000 lines of code."
  - Ken Thompson.



More information about the Dropbear mailing list