[OpenWrt-Devel] Removing Telnet

Steven Barth cyrus at openwrt.org
Wed Sep 9 02:10:18 EDT 2015


Hello Michael,

that is interesting, though I guess since these are mainly our default
it shouldn't be too hard for someone manufacturing to change the config
and readd a simple init-script for telnetd if that is really required.

Lack of entropy doesn't seem to be too much of an issue here, in fact
in failsafe mode we generate a 1024 bit RSA-key on demand which takes
<2s on my old Buffalo here. Granted its only 1024-bit but still. Now
the regular keys are 2048-bit which takes about a minute which could
be seen as problematic.

However in the verge of making these changes we also removed DSS support
and removed some of the ciphers (3DES, Twofish) and CBC mode in general
as well, so we at least save ourselves the DSS key generation.

In the future we might want to switch to add ed25519 since its more secure
and probably faster than the classical approaches mechanisms here, but we
have to ensure that it is compatible with at least most common SSH clients
out there, mainly probably Putty on Windows and OpenSSH on Linux & OS X.


Cheers,

Steven
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list