Mercurial > dropbear
changeset 628:d40f3cc47aed
- Add ALLOW_BLANK_PASSWORD option
- Don't reject blank-password logins via public key
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 26 Oct 2011 15:49:47 +0000 |
| parents | 7cc34a52feb8 |
| children | bdadc7f4b97d |
| files | options.h svr-auth.c svr-authpasswd.c |
| diffstat | 3 files changed, 26 insertions(+), 24 deletions(-) [+] |
line wrap: on
line diff
--- a/options.h Thu Oct 20 13:45:43 2011 +0000 +++ b/options.h Wed Oct 26 15:49:47 2011 +0000 @@ -158,10 +158,11 @@ /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ -/* Note: PAM auth is quite simple, and only works for PAM modules which just do +/* Note: PAM auth is quite simple and only works for PAM modules which just do * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). - * It's useful for systems like OS X where standard password crypts don't work, - * but there's an interface via a PAM module - don't bother using it otherwise. + * It's useful for systems like OS X where standard password crypts don't work + * but there's an interface via a PAM module. It won't work for more complex + * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ #define ENABLE_SVR_PASSWORD_AUTH @@ -175,6 +176,12 @@ #define ENABLE_SVR_PUBKEY_OPTIONS #endif +/* Define this to allow logging in to accounts that have no password specified. + * Public key logins are allowed for blank-password accounts regardless of this + * setting. PAM is not affected by this setting, it uses the normal pam.d + * settings ('nullok' option) */ +/* #define ALLOW_BLANK_PASSWORD */ + #define ENABLE_CLI_PASSWORD_AUTH #define ENABLE_CLI_PUBKEY_AUTH #define ENABLE_CLI_INTERACT_AUTH
--- a/svr-auth.c Thu Oct 20 13:45:43 2011 +0000 +++ b/svr-auth.c Wed Oct 26 15:49:47 2011 +0000 @@ -249,15 +249,6 @@ return DROPBEAR_FAILURE; } - /* check for an empty password */ - if (ses.authstate.pw_passwd[0] == '\0') { - TRACE(("leave checkusername: empty pword")) - dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", - ses.authstate.pw_name); - send_msg_userauth_failure(0, 1); - return DROPBEAR_FAILURE; - } - TRACE(("shell is %s", ses.authstate.pw_shell)) /* check that the shell is set */
--- a/svr-authpasswd.c Thu Oct 20 13:45:43 2011 +0000 +++ b/svr-authpasswd.c Wed Oct 26 15:49:47 2011 +0000 @@ -42,6 +42,7 @@ char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ char * testcrypt = NULL; /* crypt generated from the user's password sent */ unsigned char * password; + int success_blank = 0; unsigned int passwordlen; unsigned int changepw; @@ -60,16 +61,6 @@ passwdcrypt = DEBUG_HACKCRYPT; #endif - /* check for empty password - need to do this again here - * since the shadow password may differ to that tested - * in auth.c */ - if (passwdcrypt[0] == '\0') { - dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", - ses.authstate.pw_name); - send_msg_userauth_failure(0, 1); - return; - } - /* check if client wants to change password */ changepw = buf_getbool(ses.payload); if (changepw) { @@ -85,7 +76,21 @@ m_burn(password, passwordlen); m_free(password); - if (strcmp(testcrypt, passwdcrypt) == 0) { + /* check for empty password */ + if (passwdcrypt[0] == '\0') { +#ifdef ALLOW_BLANK_PASSWORD + if (passwordlen == 0) { + success_blank = 1; + } +#else + dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", + ses.authstate.pw_name); + send_msg_userauth_failure(0, 1); + return; +#endif + } + + if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) { /* successful authentication */ dropbear_log(LOG_NOTICE, "Password auth succeeded for '%s' from %s", @@ -99,7 +104,6 @@ svr_ses.addrstring); send_msg_userauth_failure(0, 1); } - } #endif