I was extremely surprised to discover that I was able to ssh to a machine that I booted with Debian Live using simply user=user and password=live.
Is this a bug or a design choice? Testing a few live images, it seems to be have started in 7.0 and it's still present in 7.6. In my opinion this is a huge security risk. It allows an attacker to not only spy on the live session, but to access the machine's hard drive, potentially modifying files to control the machine on reboot. Looking around, it seems people agree with me: live distributions should not come with sshd enabled. People who need the feature can always start the service themselves or make their own custom live image. https://unix.stackexchange.com/questions/43012/remote-accesible-live-distribution-aka-live-cd Francois -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
