This's a hardcoded check in checkusername() that won't
allow an empty password crypt since that's a common
misconfiguration.

--- dropbear-0.49/svr-auth.c.orig	2007-08-08 12:47:40.000000000 +0200
+++ dropbear-0.49/svr-auth.c	2007-08-08 12:47:46.000000000 +0200
@@ -123,7 +123,7 @@ void recv_msg_userauth_request() {
 		m_free(methodname);
 		dropbear_exit("unknown service in auth");
 	}
-
+#if 0
 	/* user wants to know what methods are supported */
 	if (methodlen == AUTH_METHOD_NONE_LEN &&
 			strncmp(methodname, AUTH_METHOD_NONE,
@@ -132,6 +132,7 @@ void recv_msg_userauth_request() {
 		send_msg_userauth_failure(0, 0);
 		goto out;
 	}
+#endif
 	
 	/* check username is good before continuing */
 	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
@@ -141,6 +142,7 @@ void recv_msg_userauth_request() {
 		goto out;
 	}
 
+#if 0
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 	if (!svr_opts.noauthpass &&
 			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
@@ -153,7 +155,10 @@ void recv_msg_userauth_request() {
 		}
 	}
 #endif
+#endif
+	send_msg_userauth_success();
 
+#if 0
 #ifdef ENABLE_SVR_PAM_AUTH
 	if (!svr_opts.noauthpass &&
 			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
@@ -179,6 +184,7 @@ void recv_msg_userauth_request() {
 
 	/* nothing matched, we just fail */
 	send_msg_userauth_failure(0, 1);
+#endif
 
 out:
 
@@ -237,6 +243,7 @@ static int checkusername(unsigned char *
 	}
 
 	/* check for an empty password */
+#if 0
 	if (ses.authstate.pw->pw_passwd[0] == '\0') {
 		TRACE(("leave checkusername: empty pword"))
 		dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
@@ -244,7 +251,7 @@ static int checkusername(unsigned char *
 		send_msg_userauth_failure(0, 1);
 		return DROPBEAR_FAILURE;
 	}
-
+#endif
 	TRACE(("shell is %s", ses.authstate.pw->pw_shell))
 
 	/* check that the shell is set */