On Sun, 10 Feb 2019 13:23:38 +0000, Tim wrote: > First, I found the passphrase for my wifi stored on the router in > plain text format It's certainly not the first router operating system to do that. I found a feature request asking for Ubiquity access points to stop storing WiFi passwords in plain text: https://community.ubnt.com/t5/UniFi-Feature-Requests/Hashing-the-remaining-passwords-do-not-store-in-plain-text/idi-p/1590658#comments
Someone please correct me if I'm wrong, but my understanding is that the mutual authentication feature of WPA2-PSK means that the access point must store either the plain text passphrase or the plain text secret that gets computed from it, either of which can be used to authenticate to the network if stolen. It seems to me that the best defence is therefore to avoid using the passphrase for anything except that one WiFi network, or else to use WPA2 Enterprise instead (which does not rely on a pre-shared key). > Secondly, when you login into the router via ssh you do so as root It is definitely possible to change that. You can add a less privileged user, enable key-based authentication for SSH and install sudo. I wonder if the default was a compromise made in order to limit the amount of software included in the base installation, due to the limited amount of flash memory found in router hardware. > to be fair when you login into the router via the web interface you > also do so as root. I never really liked that, especially since HTTPS is not enabled by default. I don't so much mind having to authenticate as root to perform administrative actions, but it does seem poor form to run the entire web server as root. Patrick -- Next meeting: BEC, Bournemouth, Tuesday, 2019-03-05 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:[email protected]
