[OpenWrt-Devel] [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

[edgar.soldin at web.de]

hey All,

On 2/15/2018 20:50, Magnus Kroken wrote:
>>> This is just about the default configuration, it's not a choice between conflicting compile time options with varying security implications. While key authentication may be best practice, allowing SSH password logins isn't on the level of reimplementing LuCI in PHP 4. The change is *literally* a handful of sed commands, why can't advanced users take care of that themselves? Why do we want to make it easier to build a soft-bricking image than it is today?
>>
>>
>> Conversely, why can’t advanced users have a clear, standardized way of doing this?  That they’re “advanced” doesn’t mean they don’t also appreciate convenience, an easy way to save and export/import configurations, etc.
> 
> I'm not against general development, improvement or standardization of config handling. I'm against the default state of the patch that started this mail thread. The convenience of this patch opens up a new way to break the convenience of failsafe on a lot of devices, and I don't think many people would expect the particular package selection to cause such a behavior. I consider failsafe to be more important. You've already addressed that in your pull request, and I'm in favor of "this should be configurable at build time, but the default behavior should not change". How that is implemented is a different matter, which so far I haven't thought much about.

i am following this PR since the start and hold the same reservations. how about a menuconfig option that allows you to activate this feature and allows to define a path to an 'authorized_keys' file.
implemented for all sshd packages this would squash all requirements into one solution, or not?

..ede
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel