Matt,
Changed as per your suggestion and it worked perfectly well. Thanx for that.
The only problem now i have is that the entire process is really slow
until i get the login. I takes about 90 secs for me to get the shell.
(With or with-out the changes for my own interpreter). After i get
login everything is pretty fast. The size of the SSH key is 1024 bit.
(512 bytes reduces the time by about 60 secs).
Doing a quick check, majoriy of the time taken was in mp_exptmod()
routine with each call takes around 25 secs. I am running my
processor(microblaze) at about 60mhz with hardware multipler, divider
enabled.
From your knowledge, Is there any way to accelerate this in software
or the only way to increase this is by hardware-acceleration?
Thanx
- Prasad
On 7/17/06, Matt Johnston <[EMAIL PROTECTED]> wrote:
On Mon, Jul 17, 2006 at 09:53:52PM -0700, Prasad wrote:
> Hi matt,
> Thanx for the response. I changed as u suggested and put dummy
> password authentication and it worked.
>
> Now i have a question. Actually the commandline interpreter i call has
> its own username and password authentication (which doesn't use
> /etc/passwd). So now i want to totally skip the regular username and
> password in the SSH and directly call my commandline interpreter
> (which has a password autentication by itself). How do i achieve that?
> Is there any security flaws in this kinda design.
Something like the patch below should work for setting a
hardcoded user and allowing authentication immediately.
I think it should be secure, as long as you make sure that
you're ignoring requests for different commands from the
user (which will get passed as arguments to your
interpreter), and your interpreter itself is secure.
Matt
#
# old_revision [b59d9b3648d8fc72e8702a1013a1c6926d46ab2e]
#
# patch "svr-auth.c"
# from [dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3]
# to [2bf6cc2b096ba97f0614119414b9cd25a73fddfb]
#
============================================================
--- svr-auth.c dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
+++ svr-auth.c 2bf6cc2b096ba97f0614119414b9cd25a73fddfb
@@ -108,7 +108,10 @@
}
- username = buf_getstring(ses.payload, &userlen);
+ /* fake the username */
+ username = m_strdup("matt");
+ buf_eatstring(ses.payload);
+
servicename = buf_getstring(ses.payload, &servicelen);
methodname = buf_getstring(ses.payload, &methodlen);
@@ -134,52 +137,16 @@
}
/* check username is good before continuing */
- if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
+ if (checkusername(username, strlen(username)) == DROPBEAR_FAILURE) {
/* username is invalid/no shell/etc - send failure */
TRACE(("sending checkusername failure"))
send_msg_userauth_failure(0, 1);
goto out;
}
-#ifdef ENABLE_SVR_PASSWORD_AUTH
- if (!svr_opts.noauthpass &&
- !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0)
) {
- /* user wants to try password auth */
- if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
- strncmp(methodname, AUTH_METHOD_PASSWORD,
- AUTH_METHOD_PASSWORD_LEN) == 0) {
- svr_auth_password();
- goto out;
- }
- }
-#endif
-
-#ifdef ENABLE_SVR_PAM_AUTH
- if (!svr_opts.noauthpass &&
- !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0)
) {
- /* user wants to try password auth */
- if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
- strncmp(methodname, AUTH_METHOD_PASSWORD,
- AUTH_METHOD_PASSWORD_LEN) == 0) {
- svr_auth_pam();
- goto out;
- }
- }
-#endif
-
-#ifdef ENABLE_SVR_PUBKEY_AUTH
- /* user wants to try pubkey auth */
- if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
- strncmp(methodname, AUTH_METHOD_PUBKEY,
- AUTH_METHOD_PUBKEY_LEN) == 0) {
- svr_auth_pubkey();
- goto out;
- }
-#endif
-
- /* nothing matched, we just fail */
- send_msg_userauth_failure(0, 1);
-
+ /* allow login */
+ dropbear_log(LOG_NOTICE, "fake auth succeeded from %s",
svr_ses.addrstring);
+ send_msg_userauth_success();
out:
m_free(username);
