- Add ALLOW_BLANK_PASSWORD option

- Don't reject blank-password logins via public key

--HG--
extra : convert_revision : 2d4bb3ecb013a7be47a7b470fc6b23e653a43dfb

1 files changed, 16 insertions, 12 deletions

diff --git a/svr-authpasswd.c b/svr-authpasswd.c
index a29fd63..54b4889 100644
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -42,6 +42,7 @@ void svr_auth_password() {
 	char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
 	char * testcrypt = NULL; /* crypt generated from the user's password sent */
 	unsigned char * password;
+	int success_blank = 0;
 	unsigned int passwordlen;
 
 	unsigned int changepw;
@@ -60,16 +61,6 @@ void svr_auth_password() {
 	passwdcrypt = DEBUG_HACKCRYPT;
 #endif
 
-	/* check for empty password - need to do this again here
-	 * since the shadow password may differ to that tested
-	 * in auth.c */
-	if (passwdcrypt[0] == '\0') {
-		dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
-				ses.authstate.pw_name);
-		send_msg_userauth_failure(0, 1);
-		return;
-	}
-
 	/* check if client wants to change password */
 	changepw = buf_getbool(ses.payload);
 	if (changepw) {
@@ -85,7 +76,21 @@ void svr_auth_password() {
 	m_burn(password, passwordlen);
 	m_free(password);
 
-	if (strcmp(testcrypt, passwdcrypt) == 0) {
+	/* check for empty password */
+	if (passwdcrypt[0] == '\0') {
+#ifdef ALLOW_BLANK_PASSWORD
+		if (passwordlen == 0) {
+			success_blank = 1;
+		}
+#else
+		dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
+				ses.authstate.pw_name);
+		send_msg_userauth_failure(0, 1);
+		return;
+#endif
+	}
+
+	if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) {
 		/* successful authentication */
 		dropbear_log(LOG_NOTICE, 
 				"Password auth succeeded for '%s' from %s",
@@ -99,7 +104,6 @@ void svr_auth_password() {
 				svr_ses.addrstring);
 		send_msg_userauth_failure(0, 1);
 	}
-
 }
 
 #endif