Hi Paul, Thanks for that, I've committed it for the next release.
Cheers, Matt On Wed, Feb 20, 2013 at 04:51:14PM +0000, Paul Eggleton wrote: > Hi there, > > Attached is a patch we've developed for dropbear within the Yocto Project to > avoid the need to rebuild dropbear when we wish to disable the ability to log > into accounts that have a blank password set. It removes the compile-time > option and adds a -B command-line option which enables the functionality. > > We'd really like to see this (or something like it) upstream. If an > alternative implementation would be preferred please let me know. > > Cheers, > Paul > > -- > > Paul Eggleton > Intel Open Source Technology Centre > # HG changeset patch > # User Paul Eggleton <paul.eggle...@linux.intel.com> > # Date 1360684377 0 > # Node ID 92aea57140965ca60e40f99d485c14f0425afd90 > # Parent 63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6 > Allow configuring "allow blank password option" at runtime > > Changes this from a compile-time switch to a command-line option. > > Signed-off-by: Paul Eggleton <paul.eggle...@linux.intel.com> > > diff -r 63f8d6c469cf -r 92aea5714096 options.h > --- a/options.h Thu May 17 00:26:12 2012 +0800 > +++ b/options.h Tue Feb 12 15:52:57 2013 +0000 > @@ -180,11 +180,6 @@ > #define ENABLE_SVR_PUBKEY_OPTIONS > #endif > > -/* Define this to allow logging in to accounts that have no password > specified. > - * Public key logins are allowed for blank-password accounts regardless of > this > - * setting. */ > -/* #define ALLOW_BLANK_PASSWORD */ > - > #define ENABLE_CLI_PASSWORD_AUTH > #define ENABLE_CLI_PUBKEY_AUTH > #define ENABLE_CLI_INTERACT_AUTH > diff -r 63f8d6c469cf -r 92aea5714096 runopts.h > --- a/runopts.h Thu May 17 00:26:12 2012 +0800 > +++ b/runopts.h Tue Feb 12 15:52:57 2013 +0000 > @@ -89,6 +89,7 @@ > > int noauthpass; > int norootpass; > + int allowblankpass; > > #ifdef ENABLE_SVR_REMOTETCPFWD > int noremotetcp; > diff -r 63f8d6c469cf -r 92aea5714096 svr-auth.c > --- a/svr-auth.c Thu May 17 00:26:12 2012 +0800 > +++ b/svr-auth.c Tue Feb 12 15:52:57 2013 +0000 > @@ -154,8 +154,8 @@ > strncmp(methodname, AUTH_METHOD_NONE, > AUTH_METHOD_NONE_LEN) == 0) { > TRACE(("recv_msg_userauth_request: 'none' request")) > -#ifdef ALLOW_BLANK_PASSWORD > - if (!svr_opts.noauthpass > + if (svr_opts.allowblankpass > + && !svr_opts.noauthpass > && !(svr_opts.norootpass && > ses.authstate.pw_uid == 0) > && ses.authstate.pw_passwd[0] == '\0') > { > @@ -167,7 +167,6 @@ > goto out; > } > else > -#endif > { > send_msg_userauth_failure(0, 0); > goto out; > diff -r 63f8d6c469cf -r 92aea5714096 svr-authpasswd.c > --- a/svr-authpasswd.c Thu May 17 00:26:12 2012 +0800 > +++ b/svr-authpasswd.c Tue Feb 12 15:52:57 2013 +0000 > @@ -29,6 +29,7 @@ > #include "buffer.h" > #include "dbutil.h" > #include "auth.h" > +#include "runopts.h" > > #ifdef ENABLE_SVR_PASSWORD_AUTH > > diff -r 63f8d6c469cf -r 92aea5714096 svr-runopts.c > --- a/svr-runopts.c Thu May 17 00:26:12 2012 +0800 > +++ b/svr-runopts.c Tue Feb 12 15:52:57 2013 +0000 > @@ -63,6 +63,7 @@ > #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) > "-s Disable password > logins\n" > "-g Disable password logins > for root\n" > + "-B Allow blank password > logins\n" > #endif > #ifdef ENABLE_SVR_LOCALTCPFWD > "-j Disable local port > forwarding\n" > @@ -115,6 +116,7 @@ > svr_opts.norootlogin = 0; > svr_opts.noauthpass = 0; > svr_opts.norootpass = 0; > + svr_opts.allowblankpass = 0; > svr_opts.inetdmode = 0; > svr_opts.portcount = 0; > svr_opts.hostkey = NULL; > @@ -234,6 +236,9 @@ > case 'g': > svr_opts.norootpass = 1; > break; > + case 'B': > + svr_opts.allowblankpass = 1; > + break; > #endif > case 'h': > printhelp(argv[0]);