Hi, > When I ssh to the openssh server using an account with an empty > password, I see that that the auth method "none" succeeds. When I ssh > to the dropbear server, it ends up using auth method "password" with > an empty password. Can somebody lend me a clue as to what I need to > do to make dropbear act like openssh/telnetd/login in the case where > a user's password is empty?
The way SSH auth works is that whenever the client sends an auth request the server responds with either "success" or failure with a list of valid auth methods. So the normal way is that a client requests "none" auth, the server fails with a list of methods that can be used, then the client tries "password" etc. I assume what OpenSSH is doing is looking whether the user has a blank password at the first "none" request, and sending "success" straight away. That seems sensible enough to me, Dropbear should probably do the same so it can be like rshd :) Have a look at svr-auth.c , search for AUTH_METHOD_NONE. I think the checkusername() test needs to move before the 'none' test (that populates ses.authstate.pw_passwd among other things). Then the "none" test can apply the same logic for ALLOW_BLANK_PASSWORD as svr_auth_password(). That's a 2 minute look at how Dropbear could be modified, there might be some caveats I haven't noticed. Patches accepted or I might try get it done for the next release. Cheers, Matt