DROPBEAR_PASSWORD and password expiration

Antony Pavlenko antony at pavlenko.net
Tue Dec 8 15:35:12 WST 2009 

Hello.
First of all thanks a lot for your great ssh client/server!
As for me, it isn't really "totally wrong" to call m_burn on the
DROPBEAR_PASSWORD. It is really useful feature because when ssh session
already established nobody can find correct password at /proc/pid/ environ (
Linux ) or pargs -e ( Solaris ).
So it will be great not just remove m_burn for DROPBEAR_PASSWORD but just
move to any place, after authorization.

With regards,
Anton Pavlenko

On Tue, Dec 8, 2009 at 2:34 AM, Matt Johnston <matt at ucc.asn.au> wrote:

> Hi Anton,
>
> It certainly is wrong for it to be calling m_burn on the
> DROPBEAR_PASSWORD environment variable, I'll fix that. I'm
> not totally sure what the correct behaviour for "change
> password" or other similar auth prompts is - perhaps
> DROPBEAR_PASSWORD should only be used for the first
> "no-echo" response.
>
> In keyboard interactive mode dbclient just gets given a
> series of "ask the user this question, with echo off/on"
> prompts from the server - it doesn't really know if it's
> being asked for the current password, a new password, or
> something totally different (like a token ID etc).
>
> Cheers,
> Matt
>
> On Sat, Dec 05, 2009 at 08:18:11PM +0300, Antony Pavlenko wrote:
> > Hello.
> > There is rather unpleasant dbclient behavior when DROPBEAR_PASSWORD is
> used.
> > Everything works great until password expiration is used.
> > Then password is expired and you try to login wuth dbclient with
> DROPBEAR_PASSWORD than dbclient will change password to ffff . And there
> will be as much 'f' symbols in new password as DROPBEAR_PASSWORD length.
> >
> > It works so because in recv_msg_userauth_info_request you call
> getpass_or_cancel and if DROPBEAR_PASSWORD is used it returns a pointer to
> the DROPBEAR_PASSWORD environment variable. And then you use m_burn to clear
> password value from the memory.
> >
> > here is the code :
> >
> > unsigned char* p = getpass_or_cancel(prompt);
> > response = m_strdup(p);
> > m_burn(p, strlen(p));
> >
> > But if this pass is correct and expired than host will ask dbclient to
> enter new one pass. dbclient will take DROPBEAR_PASSWORD again but now there
> is another pass, which was written by m_burn.
> >
> > I like very much DROPBEAR_PASSWORD feature and that dbclient can change
> expired password. Also it is great that nobody can dump password from
> environment variable.
> >
> > I don't know the best way to fix it and doesn't break this great
> > feature. I can't say that I really understand dropbear code, but may be
> move m_burn for environment variable to the end of
>  recv_msg_userauth_specific_60, or any other place where authorization is
> really finished?
> >
> > With regards,
> > --
> > Anton Pavlenko
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20091208/7b3ef302/attachment.html

More information about the Dropbear mailing list