Re: dropbear still requires password when password is blank
Hi, Somehow I missed this patch and also a similar one from Chris Metcalf in 2010 :( Sorry about that. Anyway, I've now committed the same functionality for the next release (in Mercurial now). Cheers, Matt On Thu, Apr 26, 2012 at 11:54:28AM -0400, Paul Smith wrote: On Thu, 2012-04-26 at 15:33 +, Grant Edwards wrote: I'm trying to switch from the openssh server to dropbear's server on an embedded system, and I've run into one snag. I've enabled the allow blank password feature, but dropbear still prompts for a password on accounts that have blank passwords. That's wrong -- or at least it's different than what openssh, telnetd, login do. I've not been following dropbear development but a number of years ago, dropbear didn't support no-password login (as root for sure). I created a patch and submitted it to the dropbear list. Not sure if it (or something like it) was integrated. If it helps your investigation here's a link to the mailing list post with my patch although this was 3 years ago so not sure if/how much the code has changed: http://permalink.gmane.org/gmane.network.ssh.dropbear/845
Re: dropbear still requires password when password is blank
Hi, When I ssh to the openssh server using an account with an empty password, I see that that the auth method none succeeds. When I ssh to the dropbear server, it ends up using auth method password with an empty password. Can somebody lend me a clue as to what I need to do to make dropbear act like openssh/telnetd/login in the case where a user's password is empty? The way SSH auth works is that whenever the client sends an auth request the server responds with either success or failure with a list of valid auth methods. So the normal way is that a client requests none auth, the server fails with a list of methods that can be used, then the client tries password etc. I assume what OpenSSH is doing is looking whether the user has a blank password at the first none request, and sending success straight away. That seems sensible enough to me, Dropbear should probably do the same so it can be like rshd :) Have a look at svr-auth.c , search for AUTH_METHOD_NONE. I think the checkusername() test needs to move before the 'none' test (that populates ses.authstate.pw_passwd among other things). Then the none test can apply the same logic for ALLOW_BLANK_PASSWORD as svr_auth_password(). That's a 2 minute look at how Dropbear could be modified, there might be some caveats I haven't noticed. Patches accepted or I might try get it done for the next release. Cheers, Matt
Re: dropbear still requires password when password is blank
On 2012-04-26, Matt Johnston m...@ucc.asn.au wrote: I assume what OpenSSH is doing is looking whether the user has a blank password at the first none request, and sending success straight away. Ah, I had assumed that the process started out with the server sending a list of acceptable auth methods, and I couldn't find that anywhere. But, I gather than the client just starts sending various auth requests in whatever order it wants until it finds a winner. That seems sensible enough to me, Dropbear should probably do the same so it can be like rshd :) I had forgotten about rsh/rlogin... Have a look at svr-auth.c , search for AUTH_METHOD_NONE. I think the checkusername() test needs to move before the 'none' test (that populates ses.authstate.pw_passwd among other things). Then the none test can apply the same logic for ALLOW_BLANK_PASSWORD as svr_auth_password(). I'll take a look and see what I can come up with. That's a 2 minute look at how Dropbear could be modified, there might be some caveats I haven't noticed. Patches accepted or I might try get it done for the next release. It might seem that hitting enter at the password prompt isn't a big deal, and for interactive use, that's true. The embedded system is set up with a blank password mainly during development and testing because it's a handy way to do automate testing using shell scripts running on the development host. The password prompt breaks that. -- Grant Edwards grant.b.edwardsYow! I would like to at urinate in an OVULAR, gmail.comporcelain pool --
