dropbear password-based authentication fails

[dstromberg]

brew gist-logs <formula> link OR brew config AND brew doctor output

The dropbear build in homebrew works fine with RSA authentication, but fails to authenticate using a password.

To fix the problem:
--- default_options.h.t 2021-07-28 07:12:53.000000000 -0700
+++ default_options.h   2021-07-28 07:13:21.000000000 -0700
@@ -193,7 +193,7 @@

 /* Authentication Types - at least one required.
    RFC Draft requires pubkey auth, and recommends password */
-#define DROPBEAR_SVR_PASSWORD_AUTH 1
+#define DROPBEAR_SVR_PASSWORD_AUTH 0

 /* Note: PAM auth is quite simple and only works for PAM modules which just do
  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@@ -201,7 +201,7 @@
  * but there's an interface via a PAM module. It won't work for more complex
  * PAM challenge/response.
  * You can't enable both PASSWORD and PAM. */
-#define DROPBEAR_SVR_PAM_AUTH 0
+#define DROPBEAR_SVR_PAM_AUTH 1

 /* ~/.ssh/authorized_keys authentication */
 #define DROPBEAR_SVR_PUBKEY_AUTH 1

..and:
./configure --enable-pam && make

• [X] I ran brew update and am still able to reproduce my issue.
• [X] I have resolved all warnings from brew doctor and that did not fix my problem.

What were you trying to do (and why)?

I'm attempting to set up dropbear ssh on a mac, for testing something.

For some reason, password authentication consistently fails for the account I'm trying: testacct. If I set up RSA authentication for testacct, that works fine, but I need to use a password for the testing.

I have OpenSSH set up and running on the same system, so I have dropbear on an alternate port: tcp/2222.

If I log into testacct with a password, on tcp/22 (that is, using OpenSSH), things work fine.

What happened (include all command output)?

My dropbear invocation and messages look like: $ /usr/local/sbin/dropbear -p 127.0.0.1:2222 -E -R -F cmd output started 2021 Tue Jul 27 03:41:43 PM PDT [3228] Jul 27 15:41:43 Not backgrounding [3237] Jul 27 15:41:47 Child connection from 127.0.0.1:53525 [3237] Jul 27 15:41:50 Bad password attempt for 'testacct' from 127.0.0.1:53525 [3237] Jul 27 15:41:53 Bad password attempt for 'testacct' from 127.0.0.1:53525 [3237] Jul 27 15:41:55 Exit before auth from <127.0.0.1:53525>: (user 'testacct', 2 fails): Exited normally

And from the clients I see: $ ssh -p 2222 testacct@127.0.0.1 testacct@127.0.0.1's password: Permission denied, please try again. testacct@127.0.0.1's password: Permission denied, please try again. testacct@127.0.0.1's password:

$ dbclient -p 2222 testacct@127.0.0.1 Host '127.0.0.1' is not in the trusted hosts file. (ssh-ed25519 fingerprint sha1!! 6f:b7:50:8c:82:87:ce:bf:cc:fd:e3:48:63:12:60:9d:39:17:e2:97) Do you want to continue connecting? (y/n) y testacct@127.0.0.1's password: testacct@127.0.0.1's password: testacct@127.0.0.1's password:

What did you expect to happen?

A login session was expected.

Step-by-step reproduction instructions (by running brew commands)

I am using Dropbear v2020.81 from homebrew on macOS 11.5.1.

[gromgit]

Since you know what needs to be fixed, please open a PR to fix it. Useful documentation along these lines include:

• https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request
• https://docs.brew.sh/Formula-Cookbook

However, I'd also note that the file you're modifying (defaults_options.h) explicitly recommends not changing it directly:

default_options.h  documents compile-time options, and provides default values.

Local customisation should be added to localoptions.h which is
used if it exists in the build directory. Options defined there will override 
any options in this file.

Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS

[dstromberg]

Is "brew bump-formula-pr" truly what I need? https://newbedev.com/homebrew/manpage seems to say that it's just for updating a URL or tag.

Either way, is there an example of adding a file to a homebrew package? I hunted around in homebrew-core, and found some file creations, but they all seemed to be in test or install.

And then how do you test prior to PR?

Thanks!

[SMillerDev]

Is "brew bump-formula-pr" truly what I need?

No, you'll need to read more of the page gromgit linked. There is an explanation there how to create a pull request. That page should also describe what validation to do.

[dstromberg]

I'm afraid I should be relaxing instead of studying homebrew and learning ruby. And I don't think my employer wants me working on this kind of thing while on the clock.

If you have more targeted documentation, I'm open to studying that. I know a lot of Python, bash and C, plus some autoconf, make and git. I have little interest in picking up Ruby - it seems like a dying language.

My immediate problem is solved. Anything beyond that is just to help out others, which is nice, but only if it doesn't take too much time. The thing I like the most is time.

On Sun, Aug 1, 2021 at 10:31 AM Sean Molenaar @.***> wrote:

Is "brew bump-formula-pr" truly what I need?

No, you'll need to read more of the page gromgit linked. There is an explanation there how to create a pull request. That page should also describe what validation to do.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Homebrew/homebrew-core/issues/82060#issuecomment-890558889, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTEGW4EJ3VD72UMJG47V3T2WAGVANCNFSM5BEPZ75Q .

--

Dan Stromberg | Senior Software Engineer

Mobile +1.949.342.6502

https://keepersecurity.com/

This email is confidential and is intended for the recipient(s) addressed herein

[SMillerDev]

If your employer only wants open source because it's free and doesn't want to give anything back there is nothing we can do about that.

[carlocab]

There's very little Ruby you need to know to contribute fixes to a formula. You don't even need to study Ruby to do it.

Feel free to open a draft PR that doesn't quite work -- we're happy to help you finish it off.