[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Michael Richardson mcr at sandelman.ca
Thu Dec 24 16:01:00 EST 2015

Bastian Bittorf <bittorf at bluebottle.com> wrote:
    >> > while we are at it: what about including default private keys for SSH
    >> > till the real keys are generated? it can last several minutes on some
    >> > routers and it feels like the box is broken. also: if really something
    >> > goes wrong during key generating we can at least login.
    >> you have a very bizarre understanding of securing a device.

    > in this stage the box is still without password.

okay.  So the impersonator machine lets the user in without a password, and
the impersonator machine has ALREADY connected to the new machine with no
password, and trojan'ed some binaries.

    > the only issue i can think of is, that one can
    > read on the wire to which password somebody changes
    > with 'passwd' - but i'am pretty sure this is not
    > the case, because each session has it's own privacy.

No, since the impersonator (MITM) has involved itself with the session.
Effectively, the MITM creates:

             ssh mitm 'tee /badguy | ssh target'

(but, bidirectionally, and inside the SSH transport layer)

A new ICMP port-unreachable code would be nice to have here.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151224/cac5ffee/attachment.sig>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list