changeset 677:55b84e59aaad

Fix empty password immediate login
author Matt Johnston <matt@ucc.asn.au>
date Wed, 09 May 2012 22:51:59 +0800
parents 0edf08895a33
children 6e0899b56ac4
files options.h svr-auth.c svr-authpasswd.c
diffstat 3 files changed, 4 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/options.h	Wed May 09 22:37:04 2012 +0800
+++ b/options.h	Wed May 09 22:51:59 2012 +0800
@@ -179,8 +179,7 @@
 
 /* Define this to allow logging in to accounts that have no password specified.
  * Public key logins are allowed for blank-password accounts regardless of this
- * setting.  PAM is not affected by this setting, it uses the normal pam.d
- * settings ('nullok' option) */
+ * setting. */
 /* #define ALLOW_BLANK_PASSWORD */
 
 #define ENABLE_CLI_PASSWORD_AUTH
--- a/svr-auth.c	Wed May 09 22:37:04 2012 +0800
+++ b/svr-auth.c	Wed May 09 22:51:59 2012 +0800
@@ -155,9 +155,10 @@
 				AUTH_METHOD_NONE_LEN) == 0) {
 		TRACE(("recv_msg_userauth_request: 'none' request"))
 #ifdef ALLOW_BLANK_PASSWORD
+		TRACE(("pw_passwd '%s'", ses.authstate.pw_passwd))
 		if (!svr_opts.noauthpass 
 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
-				&& ses.authstate.pw_passwd == '\0') 
+				&& ses.authstate.pw_passwd[0] == '\0') 
 		{
 			dropbear_log(LOG_NOTICE, 
 					"Auth succeeded with blank password for '%s' from %s",
--- a/svr-authpasswd.c	Wed May 09 22:37:04 2012 +0800
+++ b/svr-authpasswd.c	Wed May 09 22:51:59 2012 +0800
@@ -39,7 +39,6 @@
 	char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
 	char * testcrypt = NULL; /* crypt generated from the user's password sent */
 	unsigned char * password;
-	int success_blank = 0;
 	unsigned int passwordlen;
 
 	unsigned int changepw;
@@ -68,19 +67,13 @@
 
 	/* check for empty password */
 	if (passwdcrypt[0] == '\0') {
-#ifdef ALLOW_BLANK_PASSWORD
-		if (passwordlen == 0) {
-			success_blank = 1;
-		}
-#else
 		dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
 				ses.authstate.pw_name);
 		send_msg_userauth_failure(0, 1);
 		return;
-#endif
 	}
 
-	if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) {
+	if (strcmp(testcrypt, passwdcrypt) == 0) {
 		/* successful authentication */
 		dropbear_log(LOG_NOTICE, 
 				"Password auth succeeded for '%s' from %s",