# HG changeset patch # User Matt Johnston # Date 1319644187 0 # Node ID d40f3cc47aedbb37a6329760954acb7d19090a8f # Parent 7cc34a52feb8dcb023fcc3e28063dc3177ee0563 - Add ALLOW_BLANK_PASSWORD option - Don't reject blank-password logins via public key diff -r 7cc34a52feb8 -r d40f3cc47aed options.h --- a/options.h Thu Oct 20 13:45:43 2011 +0000 +++ b/options.h Wed Oct 26 15:49:47 2011 +0000 @@ -158,10 +158,11 @@ /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ -/* Note: PAM auth is quite simple, and only works for PAM modules which just do +/* Note: PAM auth is quite simple and only works for PAM modules which just do * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). - * It's useful for systems like OS X where standard password crypts don't work, - * but there's an interface via a PAM module - don't bother using it otherwise. + * It's useful for systems like OS X where standard password crypts don't work + * but there's an interface via a PAM module. It won't work for more complex + * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ #define ENABLE_SVR_PASSWORD_AUTH @@ -175,6 +176,12 @@ #define ENABLE_SVR_PUBKEY_OPTIONS #endif +/* Define this to allow logging in to accounts that have no password specified. + * Public key logins are allowed for blank-password accounts regardless of this + * setting. PAM is not affected by this setting, it uses the normal pam.d + * settings ('nullok' option) */ +/* #define ALLOW_BLANK_PASSWORD */ + #define ENABLE_CLI_PASSWORD_AUTH #define ENABLE_CLI_PUBKEY_AUTH #define ENABLE_CLI_INTERACT_AUTH diff -r 7cc34a52feb8 -r d40f3cc47aed svr-auth.c --- a/svr-auth.c Thu Oct 20 13:45:43 2011 +0000 +++ b/svr-auth.c Wed Oct 26 15:49:47 2011 +0000 @@ -249,15 +249,6 @@ return DROPBEAR_FAILURE; } - /* check for an empty password */ - if (ses.authstate.pw_passwd[0] == '\0') { - TRACE(("leave checkusername: empty pword")) - dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", - ses.authstate.pw_name); - send_msg_userauth_failure(0, 1); - return DROPBEAR_FAILURE; - } - TRACE(("shell is %s", ses.authstate.pw_shell)) /* check that the shell is set */ diff -r 7cc34a52feb8 -r d40f3cc47aed svr-authpasswd.c --- a/svr-authpasswd.c Thu Oct 20 13:45:43 2011 +0000 +++ b/svr-authpasswd.c Wed Oct 26 15:49:47 2011 +0000 @@ -42,6 +42,7 @@ char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ char * testcrypt = NULL; /* crypt generated from the user's password sent */ unsigned char * password; + int success_blank = 0; unsigned int passwordlen; unsigned int changepw; @@ -60,16 +61,6 @@ passwdcrypt = DEBUG_HACKCRYPT; #endif - /* check for empty password - need to do this again here - * since the shadow password may differ to that tested - * in auth.c */ - if (passwdcrypt[0] == '\0') { - dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", - ses.authstate.pw_name); - send_msg_userauth_failure(0, 1); - return; - } - /* check if client wants to change password */ changepw = buf_getbool(ses.payload); if (changepw) { @@ -85,7 +76,21 @@ m_burn(password, passwordlen); m_free(password); - if (strcmp(testcrypt, passwdcrypt) == 0) { + /* check for empty password */ + if (passwdcrypt[0] == '\0') { +#ifdef ALLOW_BLANK_PASSWORD + if (passwordlen == 0) { + success_blank = 1; + } +#else + dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", + ses.authstate.pw_name); + send_msg_userauth_failure(0, 1); + return; +#endif + } + + if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) { /* successful authentication */ dropbear_log(LOG_NOTICE, "Password auth succeeded for '%s' from %s", @@ -99,7 +104,6 @@ svr_ses.addrstring); send_msg_userauth_failure(0, 1); } - } #endif