On Fri, 4 Apr 2008, Rob Landley wrote:
On Thursday 03 April 2008 21:32:05 sindi keesan wrote:
On Thu, 3 Apr 2008, Rob Landley wrote:
On Thursday 03 April 2008 16:13:43 sindi keesan wrote:
I don't know where shadow came from or why it appears not to work.
It came from the original setup, where root and user had blank passwords.
Apparently the busybox passwd changed the passwords in passwd but not in
shadow, and dropbear looked at shadow but not at passwd to decide that my
passwords were blank. When I boot and log in passwd seems to be
consulted, not shadow. Maybe someone would like to patch dropbear to look
at BOTH files (passwd as well as shadow) before decided there are blank
passwords?
It's more that the spec says that _if_ there is a shadow file, the password
should live there. They only live in /etc/passwd on systems that haven't got
shadow password support.
When I log in, why does my system consult passwd and not shadow?
So your system was in a weird state. Not really dropbear's bug.
Our system is definitely wierd. I seem to have made it worse.
I found dropbear at the uclibc site, which I was at because I was
compiling busybox, so if it is the busybox passwd (or adduser) that is
leaving shadow unchanged while changing passwd, someone else might end up
with the same problem as I have.
Busybox has a CONFIG entry for shadow password support or not. If it's
creating a shadow file when shadow password support is disabled, that's a
bug. (Last time I was involved in busybox was the 1.2.2 release...)
I compiled my own busybox and did not understand most of the questions.
Apparently it edited the passwd file without removing shadow. I don't
know why we even had a shadow file when we had no passwords - it came on
the 2-floppy download of our linux.
I told people on our list to delete shadow if they were having problems
with dropbear.
If you're using a version of busybox that's configured not to support shadow
passwords on a system that's configured to use shadow passwords, that's a
problem.
I have compiled 1.1.0 and 1.3.2 of busybox. I compiled without shadow
support. Some day I can redo this.
I think I ran the busybox passwd (or adduser?) to assign passwords.
In another version of this distro, I used a package provided by the
distro to create a user and assign passwords to user and root, and there
is no 'shadow' file there, and dropbear works 'out of the box' (once I
make the rsa key).
You used two different passwd programs, one of which supported shadow
passwords and one that didn't. You wound up with /etc in a fairly insane
state.
The shadow file was there before I added passwords. I used one program
per distro. Manually removing shadow fixed my problem.
My setup worked until now. (I am often surprised when things work).
If you were only using the busybox utilities, they sound like they were
configured to ignore /etc/shadow.
Yes. At least busybox is consistent even if I was not.
This distro is not intended to be highly secure. It is for older
hardware and to learn on.
It doesn't have to be secure it just has to be consistent.
I will mention to others on the list that they need to remove shadow if
they add passwords to BL 2.
Or they could fix their busybox .config...
They are probably not using my busybox, which I compiled myself, but some
user adding program from Slackware. The later version of our linux does
not come with shadow.
Linux security is a whole big issue of its own, worth of at least a
semester long undergraduate course.
Probably with some prerequisites. This is my first and only linux.
Have you read Linux From Scratch yet?
I have heard of it. The security site will take me a while to get
through.
http://www.linuxfromscratch.org/lfs/view/stable/
Then you can read the sequels:
http://www.linuxfromscratch.org/
Rob
--
"One of my most productive days was throwing away 1000 lines of code."
- Ken Thompson.
[EMAIL PROTECTED]
SDF Public Access UNIX System - http://sdf.lonestar.org
