On Wednesday 14 November 2012 15:06:08 Vutral wrote: > i noticed or some other projects like openembedded and forks of it and > probably for some routers using the busybox telnet daemon there should > be a check for empty root password, so if the root password is empty > and the source ip of a request is not in private space(ex 192.168/16 > 10/8 ecetera) the default action is not to allow a login... to reduce > risk of unintentional farm creation for botnets... > > so i suggest by default only allow access to telnet from ""lan/private ips"", > when no root password is set > there could be an extra option to allow turning that sanity check off > if required > > alternative i guess the hostaccess style filter would be sufficient > too... but since that would require configuration pattern change from > the users i dont know what you'd prefer > > somehow i dont see any use in allowing the whole world to access a > passwordless root account.. > > > MirOS Project > Armored Secure Operating System > http://www.mirbsd.org/
Hi, i think that hardcoding this behaviour in busybox telnetd may not be desiderable for all users and uses of busybox. An alternaltive solution to be implemented by the openembedded folks could be: 1) create a random generated root passwd at first boot 2) ask user to add an account + passwd at first connection to web config 3) add the user to sudoers 4) use sudo for config tasks or to change the unknown random root passwd to a known one. or 1) ask user to add a root passwd at first connection to web config 2) ask user to add an account + passwd at first connection to web config just my 0.2 cents. Ciao, Tito _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
