Giuseppe Cavallaro | 8 Aug 09:53 2007
Picon

Re: dropbear authentication

Hi

On 08/08/2007, Matt Johnston <matt <at> ucc.asn.au > wrote:
On Wed, Aug 08, 2007 at 08:25:00AM +0200, Giuseppe Cavallaro wrote:
> Hi All,
> ho can I login as root user with an empty password?
> Do I need to hack the code or I have to configure dropbear in "special" way?

It already should work.

As a test, I set up the root user on an Ubuntu 7.04 system
to have an entry in /etc/shadow of
root:R7gIX4dJJcCFw:13612:0:99999:7:::
and it worked fine. "R7gIX4dJJcCFw" is just the crypt of an
empty password - the Linux password utility wouldn't let me
set it manually.

Thanks, it works like a charm!

You still have to press enter in your client to log in -
Dropbear 0.50's dbclient will provide the ability to set
DROPBEAR_PASSWORD="" and avoid that.
I assume you're running this on a closed network or
something -- otherwise it'd be a tad insecure.


I'm using dropbear 0.49 on an embedded system based on uClibc with a private network (p2p).

----
Just another question:

Is it possible to totally skip authentication phase with dropbear?
I mean, using telnet or ssh (but configuring the latter) I'm able to login without entering password and login.
In this case my root entry in passwd is root::0:0 ...

Thanks a lot
Ciao
Giuseppe

Matt

Giuseppe Cavallaro | 8 Aug 10:07 2007
Picon

Re: dropbear authentication

Sorry, maybe, I was not clear enough in my previous post.
So below an example:

  [root <at> host]# telnet -l root 164.130.129.174  <<<   target IP Addr
  Trying 164.130.129.174.. .
  Connected to SH_target (164.130.129.174).
  Escape character is '^]'.
  Last login: Sun Jul 22 10:05:47 from 10.52.139.42
  Linux cavagiu 2.6.17.14_sh4_uclibc #1 Tue Jul 31 21:54:50 CEST 2007 sh4 unknown   unknown GNU/Linux

root <at> target:~#


----
Just another question:

Is it possible to totally skip authentication phase with dropbear?
I mean, using telnet or ssh (but configuring the latter) I'm able to login without entering password and login.
In this case my root entry in passwd is root::0:0 ...

Thanks a lot
Ciao
Giuseppe

Matt Johnston | 8 Aug 10:12 2007
Picon
Picon

Re: dropbear authentication

On Wed, Aug 08, 2007 at 09:53:12AM +0200, Giuseppe Cavallaro wrote:
> Just another question:
> 
> Is it possible to totally skip authentication phase with dropbear?
> I mean, using telnet or ssh (but configuring the latter) I'm able to login
> without entering password and login.
> In this case my root entry in passwd is root::0:0 ...

There's a hardcoded check in checkusername() that won't
allow an empty password crypt since that's a common
misconfiguration. If the user has an OK entry in /etc/passwd
though, you can make Dropbear skip auth fairly easily, see
the patch below.

Matt

--- svr-auth.c	dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
+++ svr-auth.c	70235853e723eb3b7557be219aace2406ed45bb1
 <at>  <at>  -124,15 +124,6  <at>  <at>  void recv_msg_userauth_request() {
 		dropbear_exit("unknown service in auth");
 	}

-	/* user wants to know what methods are supported */
-	if (methodlen == AUTH_METHOD_NONE_LEN &&
-			strncmp(methodname, AUTH_METHOD_NONE,
-				AUTH_METHOD_NONE_LEN) == 0) {
-		TRACE(("recv_msg_userauth_request: 'none' request"))
-		send_msg_userauth_failure(0, 0);
-		goto out;
-	}
-	
 	/* check username is good before continuing */
 	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
 		/* username is invalid/no shell/etc - send failure */
 <at>  <at>  -141,45 +132,8  <at>  <at>  void recv_msg_userauth_request() {
 		goto out;
 	}

-#ifdef ENABLE_SVR_PASSWORD_AUTH
-	if (!svr_opts.noauthpass &&
-			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
-		/* user wants to try password auth */
-		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-				strncmp(methodname, AUTH_METHOD_PASSWORD,
-					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_password();
-			goto out;
-		}
-	}
-#endif
+	send_msg_userauth_success();

-#ifdef ENABLE_SVR_PAM_AUTH
-	if (!svr_opts.noauthpass &&
-			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
-		/* user wants to try password auth */
-		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
-				strncmp(methodname, AUTH_METHOD_PASSWORD,
-					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_pam();
-			goto out;
-		}
-	}
-#endif
-
-#ifdef ENABLE_SVR_PUBKEY_AUTH
-	/* user wants to try pubkey auth */
-	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
-			strncmp(methodname, AUTH_METHOD_PUBKEY,
-				AUTH_METHOD_PUBKEY_LEN) == 0) {
-		svr_auth_pubkey();
-		goto out;
-	}
-#endif
-
-	/* nothing matched, we just fail */
-	send_msg_userauth_failure(0, 1);
-
 out:

 	m_free(username);

Giuseppe Cavallaro | 8 Aug 11:17 2007
Picon

Re: dropbear authentication

Hi Matt,
It works fine if I set root:R7gIX4dJJcCFw:... in passwd file.
So I'd like to have the same scenario but using root::... in passwd.
Is it possible?

Thanks a lot for your excellent support,
Giuseppe



There's a hardcoded check in checkusername() that won't
allow an empty password crypt since that's a common
misconfiguration. If the user has an OK entry in /etc/passwd
though, you can make Dropbear skip auth fairly easily, see
the patch below.

Matt

Giuseppe Cavallaro | 8 Aug 11:32 2007
Picon

Re: dropbear authentication

I can do that if in the checkusername I comment the following check.
I'm not sure if it's a better way; I wonder if it's worth using an extra option (i.e. permit_empty_passwd)
like ssh does.

        /* check for an empty password */
#if 0
        if (ses.authstate.pw->pw_passwd[0] == '\0') {
                TRACE(("leave checkusername: empty pword"))
                dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
                                ses.authstate.printableuser);
                send_msg_userauth_failure(0, 1);
                return DROPBEAR_FAILURE;
        }
#endif
        TRACE(("shell is %s", ses.authstate.pw->pw_shell))


On 08/08/2007, Giuseppe Cavallaro <peppe.cavallaro <at> gmail.com> wrote:
Hi Matt,
It works fine if I set root:R7gIX4dJJcCFw:... in passwd file.
So I'd like to have the same scenario but using root::... in passwd.
Is it possible?

Thanks a lot for your excellent support,
Giuseppe




There's a hardcoded check in checkusername() that won't
allow an empty password crypt since that's a common
misconfiguration. If the user has an OK entry in /etc/passwd
though, you can make Dropbear skip auth fairly easily, see
the patch below.

Matt


Matt Johnston | 8 Aug 11:37 2007
Picon
Picon

Re: dropbear authentication

On Wed, Aug 08, 2007 at 11:32:37AM +0200, Giuseppe Cavallaro wrote:
> I can do that if in the checkusername I comment the following check.
> I'm not sure if it's a better way; I wonder if it's worth using an extra
> option (i.e. permit_empty_passwd)
> like ssh does.

Yep, that should work fine.

I don't think it's really worth making it a runtime option,
though maybe I'll make it a compile-time option settable in
options.h

Or people can find it here in the mailing list archives :)

Cheers,
Matt

Giuseppe Cavallaro | 8 Aug 11:49 2007
Picon

Re: dropbear authentication

Sound good!!

Also in attachment the patch file I'm applying on dropbear-0.49.

Thanks
Giuseppe

On 08/08/2007, Matt Johnston < matt <at> ucc.asn.au> wrote:
On Wed, Aug 08, 2007 at 11:32:37AM +0200, Giuseppe Cavallaro wrote:
> I can do that if in the checkusername I comment the following check.
> I'm not sure if it's a better way; I wonder if it's worth using an extra
> option (i.e. permit_empty_passwd)
> like ssh does.

Yep, that should work fine.

I don't think it's really worth making it a runtime option,
though maybe I'll make it a compile-time option settable in
options.h

Or people can find it here in the mailing list archives :)

Cheers,
Matt

Attachment (dropbear_noauth.patch): application/octet-stream, 2528 bytes

Gmane