[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices
Michael Richardson
mcr at sandelman.ca
Thu Dec 24 16:01:00 EST 2015
Bastian Bittorf <bittorf at bluebottle.com> wrote:
>> > while we are at it: what about including default private keys for SSH
>> > till the real keys are generated? it can last several minutes on some
>> > routers and it feels like the box is broken. also: if really something
>> > goes wrong during key generating we can at least login.
>>
>> you have a very bizarre understanding of securing a device.
> in this stage the box is still without password.
okay. So the impersonator machine lets the user in without a password, and
the impersonator machine has ALREADY connected to the new machine with no
password, and trojan'ed some binaries.
> the only issue i can think of is, that one can
> read on the wire to which password somebody changes
> with 'passwd' - but i'am pretty sure this is not
> the case, because each session has it's own privacy.
No, since the impersonator (MITM) has involved itself with the session.
Effectively, the MITM creates:
ssh mitm 'tee /badguy | ssh target'
(but, bidirectionally, and inside the SSH transport layer)
A new ICMP port-unreachable code would be nice to have here.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151224/cac5ffee/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list