On 2012-04-26, Matt Johnston <m...@ucc.asn.au> wrote: > I assume what OpenSSH is doing is looking whether the user has a > blank password at the first "none" request, and sending "success" > straight away.
Ah, I had assumed that the process started out with the server sending a list of acceptable auth methods, and I couldn't find that anywhere. But, I gather than the client just starts sending various auth requests in whatever order it wants until it finds a winner. > That seems sensible enough to me, Dropbear should probably do the > same so it can be like rshd :) I had forgotten about rsh/rlogin... > Have a look at svr-auth.c , search for AUTH_METHOD_NONE. I think the > checkusername() test needs to move before the 'none' test (that > populates ses.authstate.pw_passwd among other things). Then the > "none" test can apply the same logic for ALLOW_BLANK_PASSWORD as > svr_auth_password(). I'll take a look and see what I can come up with. > That's a 2 minute look at how Dropbear could be modified, there might > be some caveats I haven't noticed. Patches accepted or I might try > get it done for the next release. It might seem that hitting "enter" at the password prompt isn't a big deal, and for interactive use, that's true. The embedded system is set up with a blank password mainly during development and testing because it's a handy way to do automate testing using shell scripts running on the development host. The password prompt breaks that. -- Grant Edwards grant.b.edwards Yow! I would like to at urinate in an OVULAR, gmail.com porcelain pool --