Hi there, Attached is a patch we've developed for dropbear within the Yocto Project to avoid the need to rebuild dropbear when we wish to disable the ability to log into accounts that have a blank password set. It removes the compile-time option and adds a -B command-line option which enables the functionality.
We'd really like to see this (or something like it) upstream. If an alternative implementation would be preferred please let me know. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre
# HG changeset patch # User Paul Eggleton <[email protected]> # Date 1360684377 0 # Node ID 92aea57140965ca60e40f99d485c14f0425afd90 # Parent 63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6 Allow configuring "allow blank password option" at runtime Changes this from a compile-time switch to a command-line option. Signed-off-by: Paul Eggleton <[email protected]> diff -r 63f8d6c469cf -r 92aea5714096 options.h --- a/options.h Thu May 17 00:26:12 2012 +0800 +++ b/options.h Tue Feb 12 15:52:57 2013 +0000 @@ -180,11 +180,6 @@ #define ENABLE_SVR_PUBKEY_OPTIONS #endif -/* Define this to allow logging in to accounts that have no password specified. - * Public key logins are allowed for blank-password accounts regardless of this - * setting. */ -/* #define ALLOW_BLANK_PASSWORD */ - #define ENABLE_CLI_PASSWORD_AUTH #define ENABLE_CLI_PUBKEY_AUTH #define ENABLE_CLI_INTERACT_AUTH diff -r 63f8d6c469cf -r 92aea5714096 runopts.h --- a/runopts.h Thu May 17 00:26:12 2012 +0800 +++ b/runopts.h Tue Feb 12 15:52:57 2013 +0000 @@ -89,6 +89,7 @@ int noauthpass; int norootpass; + int allowblankpass; #ifdef ENABLE_SVR_REMOTETCPFWD int noremotetcp; diff -r 63f8d6c469cf -r 92aea5714096 svr-auth.c --- a/svr-auth.c Thu May 17 00:26:12 2012 +0800 +++ b/svr-auth.c Tue Feb 12 15:52:57 2013 +0000 @@ -154,8 +154,8 @@ strncmp(methodname, AUTH_METHOD_NONE, AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) -#ifdef ALLOW_BLANK_PASSWORD - if (!svr_opts.noauthpass + if (svr_opts.allowblankpass + && !svr_opts.noauthpass && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) && ses.authstate.pw_passwd[0] == '\0') { @@ -167,7 +167,6 @@ goto out; } else -#endif { send_msg_userauth_failure(0, 0); goto out; diff -r 63f8d6c469cf -r 92aea5714096 svr-authpasswd.c --- a/svr-authpasswd.c Thu May 17 00:26:12 2012 +0800 +++ b/svr-authpasswd.c Tue Feb 12 15:52:57 2013 +0000 @@ -29,6 +29,7 @@ #include "buffer.h" #include "dbutil.h" #include "auth.h" +#include "runopts.h" #ifdef ENABLE_SVR_PASSWORD_AUTH diff -r 63f8d6c469cf -r 92aea5714096 svr-runopts.c --- a/svr-runopts.c Thu May 17 00:26:12 2012 +0800 +++ b/svr-runopts.c Tue Feb 12 15:52:57 2013 +0000 @@ -63,6 +63,7 @@ #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) "-s Disable password logins\n" "-g Disable password logins for root\n" + "-B Allow blank password logins\n" #endif #ifdef ENABLE_SVR_LOCALTCPFWD "-j Disable local port forwarding\n" @@ -115,6 +116,7 @@ svr_opts.norootlogin = 0; svr_opts.noauthpass = 0; svr_opts.norootpass = 0; + svr_opts.allowblankpass = 0; svr_opts.inetdmode = 0; svr_opts.portcount = 0; svr_opts.hostkey = NULL; @@ -234,6 +236,9 @@ case 'g': svr_opts.norootpass = 1; break; + case 'B': + svr_opts.allowblankpass = 1; + break; #endif case 'h': printhelp(argv[0]);
