dropbear still requires password when password is blank

[Grant Edwards]

On 2012-04-27, Laurent Bercot <ska-dietlibc at skarnet.org> wrote:
>> It might seem that hitting "enter" at the password prompt isn't a big
>> deal, and for interactive use, that's true.  The embedded system is
>> set up with a blank password mainly during development and testing
>> because it's a handy way to do automate testing using shell scripts
>> running on the development host. The password prompt breaks that.
>
> I've always run automated stuff on embedded boxes via dropbear with a
> little pubkey authentication; I store a public key in the embedded
> firmware, and the testing process has the corresponding private key.
> This has the following additional advantage: if there's a massive
> f*ckup and some development version goes into release, the box is
> still not publicly accessible. ;)

I thought about doing something like that, but currently the plan is
to ship with the root password blank (the customer can set it if they
want), and no configured public key remote-access (which would look
like back-door).  Doing testing with that same configuration seemed
like a good idea.  I wrote a telnet client app in python to allow me
to run commands remotely in an automated way. But, it's a bit quirky,
it doesn't provide for copying files, and we're not planning on
shipping with telnetd enabled.

So, I'm going to have a go at enabled the "none" auth method in
dropbear if the user has a blank password (and blank passwords are
allowed).

-- 
Grant