[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices
bittorf at bluebottle.com
Thu Dec 24 16:25:04 EST 2015
* Michael Richardson <mcr at sandelman.ca> [24.12.2015 22:14]:
> 1) when the "default" key is being used, the box can be impersonated.
hmmm, it can - but you need another box on the same wire
with the same IP 192.168.1.1
> 2) if the user is "used" to a key mismatch, and they type their password in,
> the password has just been compromised.
at the moment the user *is* used to a key mismatch, because
every box comes up with 192.168.1.1 and another key.
> 3) if the user accepts the default keys, when the correct ones are generated,
> the user then has a key mismatch, again opening the possibility of
> an impersonation.
no - usually you change the IP and then you have to accept the new key.
i'am still not convinced that the "pre-key" is a bad idea.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel