[OpenWrt-Devel] [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Philip Prindeville philipp_subx at redfish-solutions.com
Wed Feb 14 14:34:59 EST 2018

> On Feb 14, 2018, at 1:25 AM, Stijn Segers <foss at volatilesystems.org> wrote:
> Yousong Zhou <yszhou4tech at gmail.com> schreef op 14 februari 2018 09:06:11 CET:
>> No, it's just complicating things up.  When people really cares about
>> the default settings' security, the will override the default by also
>> specifying files/etc/ssh/sshd_config besides
>> files/root/.ssh/authorized_keys.  No need to pass on such complexity
>> as virtual packages and another config options for others.
>>               yousong
> This only applies to OpenSSH, not Dropbear right? So this won't affect stock images?
> We should consider people rolling their own and using OpenSSH by default. This might be a nasty surprise - flash, reboot, realise you're locked out.
> SSH access from WAN is disabled by default anyway, as is access to the web interface. We already switched from telnet to SSH for initial login. I don't see any gaping security holes... 
> On top of that, the project having a DIY spirit, if people start tinkering with SSH, they should know what they're doing. Just like when they start using LEDE/OpenWrt.
> My 2 cents
> Stijn

Yes, this would be for OpenSSH only… Dropbear has a UCI control that you can change.  (Yes, we could implement UCI for the 60 or so OpenSSH knobs, but it’s sufficiently complicated that people might end up locking themselves out via misconfiguration… so KISS)

Actually, SSH access from WAN is blocked by Firewall, but not “disabled by default”.  If your firewall settings get munged, then SSH is wide open (because by default it listens to which is unbound).  Not exactly “defense in depth”.

Once I was messing with firewall settings and accidentally disabled the firewall.  Within a few minutes, there were all sorts of password attacks on the WAN port.  Having a sufficiently complex password slowed things down long enough for me to re-secure the box.

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list