> > Similarly, we could say that the security of lrcfg is the strength of > > your root password for the internal interface, and whether you allow > > inbound telnet or ssh on your external interface. Once the someone > > gets in as root, I really don't care if he abuses lrcfg - he already > > owns the box. :-) > > I'm following you now.... that makes since and it would make it > necessary to bring up the default (index?) page as a login only > page (duh!). There may (or may not) be a defaut password to > enter the configuration menu via www. It would also be advisable > to run the server on something like port 81 so it would not be as > likely to be "accidentally" accessed in the first place.
This has been my thinking...the existing linux password system provides the authorization. Users are responsible for understanding the consequences of running configuration tools requiring password access (ie telnet, un-encrypted web access, etc) over insecure networks...while I think this should be supported, "out of the box" the system should default to only allowing local interface logins (ie user has to explicitly enable remote access, with warnings about security when they do). Also, once we get a remote configuration system that becomes a standard part of a distribution, I think it's almost mandatory we do something to force the user to create a password. How many LEAF systems are running today with the default of no password? How many linksys/netgear/black-box router/firewall boxes are running with the factory defalt password? Perhaps the init scripts can simply check for the default null password for root, and require the user to set a password before continuing at the first login... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
