[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Michael Richardson mcr at sandelman.ca
Thu Dec 24 15:58:13 EST 2015 

Bastian Bittorf <bittorf at bluebottle.com> wrote:
    >> >while we are at it: what about including default private keys for SSH
    >> >till the real keys are generated? it can last several minutes on some
    >> >routers and it feels like the box is broken. also: if really something
    >> >goes wrong during key generating we can at least login.
    >>
    >> So make it double unsafe - great idea ;)

    > please say more about this. the initial keygenerating is only
    > active when the password is still unset. i dont see an unsecure
    > thing here, do you?

1) when the "default" key is being used, the box can be impersonated.

2) if the user is "used" to a key mismatch, and they type their password in,
   the password has just been compromised.

3) if the user accepts the default keys, when the correct ones are generated,
   the user then has a key mismatch, again opening the possibility of
   an impersonation.

A better approach is that the ssh daemon should start, open port 22, and then
do SSHv2 transport mode up to the key-exchange, and then just respond to
keep alives, ideally with a message to "Please stand by", if we can find
a way to do that in-protocol. (wow. it's been 18 years since I worked at ssh...)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151224/653d3461/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list