Error when attempting to authenticate with an empty password

[JCarinanos]

Hi, When you want to connect with SSH in to a Linux embedded and the user does not have a password, the toolkit gives you an error: Error -8121 occurred at Toolkit.lvlib:Session.lvclass:Password Authentication.vi I have to say that I test to put a password and the library runs perfectly and then I have changed the password to empty and run ok. I don't know the difference between not password and empty but it could be a bug....

[volks73]

Thank you for submitting an issue and your interest in this project.

...Linux embedded...

Is this a CompactRIO from NI? I have run into issues in the past with CompactRIOs that are running the NI Linux Real-Time OS and not setting a password for SSH access. There is some added security/notification information that NI does if a password has not been set but SSH access is enabled. Generally, creating a non-empty password has resolved similar issues for me in the past.

Error -8121 occurred at Toolkit.lvlib:Session.lvclass:Password Authentication.vi

From the libssh2 C library, Error -8121 is an Authentication error for the libssh2_userauth_password_ex function that is used by the Password Authentication VI. This is not very useful to anyone, but I wanted to document it here for future reference. The error simply says the user/password or the public/private key failed.

I don't know the difference between not password and empty...

I believe there is a difference between not setting a password and then setting the password to the empty string. Generally, having no password set is an initial configuration/first time running state and NI requests a password to be set. This toggles some flag internal to NI's SSH server running on the CompactRIO or similar device. An empty string password means a password has been set, but it is empty.

I will have to research this a little more, but are you able to connect and log into the Linux device via SSH from the command-line or PuTTY outside of the LabVIEW environment and this toolkit?

[JCarinanos]

Hi, It is a card with this: https://www.variscite.com/product/system-on-module-som/cortex-a7/dart-6ul-freescale-imx-6ul/ I have been connected through Putty for send services: login as: root root@0FM666666A66:~#

Now I want to do the same but with Labview to automate the script. I would like to have without password. Thanks

[volks73]

Thank you for sharing the link and information about the embedded linux computer you are using. I am not familiar with the board, but it should be possible to use this toolkit to connect to it via SSH.

Some additional questions:

1. When you login using PuTTY, are you prompted for a password and just press ENTER?
2. Have you tried passwordless authentication with a public/private key without a passphrase?
3. Are you receiving the error with any of the examples provided by this toolkit, Specifically, the Password Authentication example?
4. Would it be possible to provide a VI Snippet of the LabVIEW code you are using to connect to the Linux board?

Since I don't have the board you are using, I will try to re-create the problem with a Raspberry Pi instead of a CompactRIO. This may have to wait until later this week (Nov 15th to 19th) due to my availability.

[JCarinanos]

Sorry but i have been too busy these days. I am going to answer you: 1.- Not even that, I just enter the user and it does not ask me for a password. 2.- I don't do this. 3.- I have used Password Autheentication and in this example I have had the problem. 4- Only, I have used the example to try understand the libraries and I don't try to do my own code.

[volks73]

I have investigated this further and may have figured out the root cause of the issue. I don't think this is a bug in the LabVIEW, libssh2lv shared library, or libssh2 shared library implementations. It is a limitation in the password authentication mechanism versus the interactive keyboard authentication.

Why an empty password is not working

There are actually two password authentication mechanisms supported by libssh2, which is the "core" or underlying implementation used by this LabVIEW toolkit. The first is "password". A username and password are supplied by some mechanism, command line argument, environment variable, password manager/keyring, etc., before a connection is established with the remote device. The second is "interactive". When using PuTTY or a command line-based client to connect to a remote SSH server, this is the mechanism used that provides the prompt to type a password. Note, PuTTY is not necessarily a "standard" SSH client. It handles keys and passwords differently from other common command line-based clients, like the nearly OpenSSH client application available on nearly all UNIX-like systems (and available on newer versions of Windows 10).

The "interactive" authentication mechanism allows the user to hit the enter key when prompted for a password without typing anything else. Thus, an empty password is possible. However, the "password" authentication mechanism does not support an empty password. The string length is zero, so nothing is transmitted and authentication fails. I did not dig into the details of the "interactive" mechanism to know why empty passwords work for this authentication mechanism because I am not even sure it is possible to re-create this functionality in LabVIEW and if it is even needed. The "interactive" mechanism is meant to be a fallback when the "password" or "public/private key" authentication mechanisms fail and a human is executing the commands from a terminal, not really mean for automation or scripts. My guess is that the "interactive" mechanism simply passes all key strokes directly to the remote SSH server and does not inspect the content or count the characters.

I have compiled, modified, and experimented with the ssh2_echo example from the libssh2 project with a CompactRIO that does have an empty password. This was to isolate the issue and determine if it was a bug within this project or a limitation of the libssh2 library. Through my experiments, this appears to be a limitation of the "password" authentication mechanism within the libssh2 project. Note, it is not a bug in the libssh2 code as blocking empty passwords is viewed as a secure implementation.

Recommendation

An empty password is not secure nor recommended by anyone (NI, the libssh2 developers, or myself). You should set a non-empty password for the admin/root user, even if it is just "password". If you want to securely automate some scripts but avoid password management, then the best practice is to use public/private key authentication with no passphrase. This is a one time setup that is basically: create a public/private key pair and store the public key on the remote device (cRIO or your Freescale Dart device). This is Item 2 from my previous comment. Public/Private key authentication without a passphrase should be supported by this library.

[volks73]

I am closing this issue as it appears to have been resolved, or at least a workaround is provided and the cause of the error has been determined but it cannot be fixed because of a fundamental, core implementation of the underlying libssh2 library.