[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Bastian Bittorf bittorf at bluebottle.com
Thu Dec 24 16:25:04 EST 2015

* Michael Richardson <mcr at sandelman.ca> [24.12.2015 22:14]:
> 1) when the "default" key is being used, the box can be impersonated.

hmmm, it can - but you need another box on the same wire
with the same IP

> 2) if the user is "used" to a key mismatch, and they type their password in,
>    the password has just been compromised.

at the moment the user *is* used to a key mismatch, because
every box comes up with and another key.

> 3) if the user accepts the default keys, when the correct ones are generated,
>    the user then has a key mismatch, again opening the possibility of
>    an impersonation.

no - usually you change the IP and then you have to accept the new key.

i'am still not convinced that the "pre-key" is a bad idea.

bye, bastian
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list