Re: dropbear authentication

[Matt Johnston]

On Wed, Aug 08, 2007 at 09:53:12AM +0200, Giuseppe Cavallaro wrote:
> Just another question:
> 
> Is it possible to totally skip authentication phase with dropbear?
> I mean, using telnet or ssh (but configuring the latter) I'm able to login
> without entering password and login.
> In this case my root entry in passwd is root::0:0 ...

There's a hardcoded check in checkusername() that won't
allow an empty password crypt since that's a common
misconfiguration. If the user has an OK entry in /etc/passwd
though, you can make Dropbear skip auth fairly easily, see
the patch below.

Matt

--- svr-auth.c  dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
+++ svr-auth.c  70235853e723eb3b7557be219aace2406ed45bb1
@@ -124,15 +124,6 @@ void recv_msg_userauth_request() {
                dropbear_exit("unknown service in auth");
        }
 
-       /* user wants to know what methods are supported */
-       if (methodlen == AUTH_METHOD_NONE_LEN &&
-                       strncmp(methodname, AUTH_METHOD_NONE,
-                               AUTH_METHOD_NONE_LEN) == 0) {
-               TRACE(("recv_msg_userauth_request: 'none' request"))
-               send_msg_userauth_failure(0, 0);
-               goto out;
-       }
-       
        /* check username is good before continuing */
        if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
                /* username is invalid/no shell/etc - send failure */
@@ -141,45 +132,8 @@ void recv_msg_userauth_request() {
                goto out;
        }
 
-#ifdef ENABLE_SVR_PASSWORD_AUTH
-       if (!svr_opts.noauthpass &&
-                       !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) 
) {
-               /* user wants to try password auth */
-               if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-                               strncmp(methodname, AUTH_METHOD_PASSWORD,
-                                       AUTH_METHOD_PASSWORD_LEN) == 0) {
-                       svr_auth_password();
-                       goto out;
-               }
-       }
-#endif
+       send_msg_userauth_success();
 
-#ifdef ENABLE_SVR_PAM_AUTH
-       if (!svr_opts.noauthpass &&
-                       !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) 
) {
-               /* user wants to try password auth */
-               if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-                               strncmp(methodname, AUTH_METHOD_PASSWORD,
-                                       AUTH_METHOD_PASSWORD_LEN) == 0) {
-                       svr_auth_pam();
-                       goto out;
-               }
-       }
-#endif
-
-#ifdef ENABLE_SVR_PUBKEY_AUTH
-       /* user wants to try pubkey auth */
-       if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
-                       strncmp(methodname, AUTH_METHOD_PUBKEY,
-                               AUTH_METHOD_PUBKEY_LEN) == 0) {
-               svr_auth_pubkey();
-               goto out;
-       }
-#endif
-
-       /* nothing matched, we just fail */
-       send_msg_userauth_failure(0, 1);
-
 out:
 
        m_free(username);