Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-17 Thread Rosen Penev
On Sat, Feb 17, 2018 at 1:54 PM, Stijn Tintel wrote: > On 09-02-18 01:28, Philip Prindeville wrote: >> From: Philip Prindeville >> >> Allowing password logins leaves you vulnerable to dictionary >> attacks. We disable password-based

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-17 Thread Stijn Tintel
On 09-02-18 01:28, Philip Prindeville wrote: > From: Philip Prindeville > > Allowing password logins leaves you vulnerable to dictionary > attacks. We disable password-based authentication, limiting > authentication to keys only which are more secure. > > Note:

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-17 Thread Karl Palsson
Philip Prindeville wrote: > > > In a perfect world, no one should ever have to build with > patches, anything in files/, cherry-picked commits, etc. > Everything would be expressed in the .config (or > kernel-config). I think this is probably the root of all the

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-15 Thread Magnus Kroken
On 15.02.2018 16.52, Philip Prindeville wrote: Well, right! That was my first approach with a “config" option to do exactly that, but it was shot down: https://github.com/openwrt/packages/pull/5520 I even defaulted the option to continue to allow passwords so that only people who (a)

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-15 Thread Daniel Golle
Hi! On Thu, Feb 15, 2018 at 08:51:23AM -0700, Philip Prindeville wrote: > > > > This is just about the default configuration, it's not a choice between > > conflicting compile time options with varying security implications. While > > key authentication may be best practice, allowing SSH

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-15 Thread Philip Prindeville
> On Feb 14, 2018, at 3:00 PM, Magnus Kroken wrote: > > On 14.02.2018 22.13, Michelle Sullivan wrote: >> FWIW, I had misunderstood the intent of the original comments... OpenSSH >> server vs Dropbear - if someone is using OpenSSH server they already >> went in with advanced

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-15 Thread Philip Prindeville
> On Feb 14, 2018, at 3:00 PM, Magnus Kroken wrote: > > On 14.02.2018 22.13, Michelle Sullivan wrote: >> FWIW, I had misunderstood the intent of the original comments... OpenSSH >> server vs Dropbear - if someone is using OpenSSH server they already >> went in with advanced

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Alberto Bursi
On 02/14/2018 10:53 PM, David Woodhouse wrote: On Wed, 2018-02-14 at 22:51 +0100, Alberto Bursi wrote: Just change the WAN ssh port number to something in the dynamic port range, pretty much 0 bots scan beyond the few well-known ports range, and you save CPU resources too. We're talking

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Magnus Kroken
On 14.02.2018 22.13, Michelle Sullivan wrote: FWIW, I had misunderstood the intent of the original comments... OpenSSH server vs Dropbear - if someone is using OpenSSH server they already went in with advanced config as Dropbear is the default - I'd err on the side of security as they should

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Michelle Sullivan
David Woodhouse wrote: On Wed, 2018-02-14 at 22:51 +0100, Alberto Bursi wrote: Just change the WAN ssh port number to something in the dynamic port range, pretty much 0 bots scan beyond the few well-known ports range, and you save CPU resources too. We're talking about the default config here

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread David Woodhouse
On Wed, 2018-02-14 at 22:51 +0100, Alberto Bursi wrote: > Just change the WAN ssh port number to something in the dynamic port  > range, pretty much 0 bots scan beyond the few well-known ports > range, and you save CPU resources too. We're talking about the default config here though. Please

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Alberto Bursi
On 02/14/2018 10:36 PM, David Woodhouse wrote: On Wed, 2018-02-14 at 12:34 -0700, Philip Prindeville wrote: Once I was messing with firewall settings and accidentally disabled the firewall.  Within a few minutes, there were all sorts of password attacks on the WAN port.  Having a sufficiently

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread David Woodhouse
On Wed, 2018-02-14 at 12:34 -0700, Philip Prindeville wrote: > Once I was messing with firewall settings and accidentally disabled > the firewall.  Within a few minutes, there were all sorts of password > attacks on the WAN port.  Having a sufficiently complex password > slowed things down long

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Michelle Sullivan
Philip Prindeville wrote: On Feb 13, 2018, at 9:14 PM, Michelle Sullivan wrote: [snip] Personally - my thoughts There should be an option to enable passwords (default off...) A warning should be placed on the checkbox to inform the user it is not a good idea to

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Philip Prindeville
> On Feb 14, 2018, at 1:25 AM, Stijn Segers wrote: > > Yousong Zhou schreef op 14 februari 2018 09:06:11 CET: >> >> No, it's just complicating things up. When people really cares about >> the default settings' security, the will override the

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Philip Prindeville
> On Feb 14, 2018, at 1:06 AM, Yousong Zhou wrote: > > On 14 February 2018 at 11:53, Philip Prindeville > wrote: >> >>> On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: >>> >>> On 9 February 2018 at 08:28,

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Philip Prindeville
> On Feb 13, 2018, at 9:14 PM, Michelle Sullivan wrote: > > [snip] > Personally - my thoughts > > There should be an option to enable passwords (default off...) > A warning should be placed on the checkbox to inform the user it is not a > good idea to enable them. >

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Stijn Segers
Yousong Zhou schreef op 14 februari 2018 09:06:11 CET: >On 14 February 2018 at 11:53, Philip Prindeville > wrote: >> >>> On Feb 11, 2018, at 3:54 AM, Yousong Zhou >wrote: >>> >>> On 9 February 2018 at 08:28, Philip

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-14 Thread Yousong Zhou
On 14 February 2018 at 11:53, Philip Prindeville wrote: > >> On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: >> >> On 9 February 2018 at 08:28, Philip Prindeville >> wrote: >>> From: Philip Prindeville

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-13 Thread Alberto Bursi
On 14/02/2018 04:53, Philip Prindeville wrote: On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: On 9 February 2018 at 08:28, Philip Prindeville wrote: From: Philip Prindeville Allowing password logins

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-13 Thread Michelle Sullivan
Philip Prindeville wrote: On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: On 9 February 2018 at 08:28, Philip Prindeville wrote: From: Philip Prindeville Allowing password logins leaves you vulnerable to

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-13 Thread Philip Prindeville
> On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: > > On 9 February 2018 at 08:28, Philip Prindeville > wrote: >> From: Philip Prindeville >> >> Allowing password logins leaves you vulnerable to dictionary

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Philip Prindeville
> On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: > > On 9 February 2018 at 08:28, Philip Prindeville > wrote: >> From: Philip Prindeville >> >> Allowing password logins leaves you vulnerable to dictionary

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Philip Prindeville
> On Feb 11, 2018, at 3:54 AM, Yousong Zhou wrote: > > On 9 February 2018 at 08:28, Philip Prindeville > wrote: >> From: Philip Prindeville >> >> Allowing password logins leaves you vulnerable to dictionary

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Philip Prindeville
> On Feb 11, 2018, at 4:23 AM, Alberto Bursi wrote: > > > > On 02/11/2018 11:54 AM, Yousong Zhou wrote: >> On 9 February 2018 at 08:28, Philip Prindeville >> wrote: >>> From: Philip Prindeville >>>

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Philip Prindeville
Sent from my iPhone > On Feb 11, 2018, at 4:11 AM, Torbjorn Jansson > wrote: > >> On 2018-02-11 11:54, Yousong Zhou wrote: >> On 9 February 2018 at 08:28, Philip Prindeville >> wrote: >>> From: Philip Prindeville

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Alberto Bursi
On 02/11/2018 11:54 AM, Yousong Zhou wrote: On 9 February 2018 at 08:28, Philip Prindeville wrote: From: Philip Prindeville Allowing password logins leaves you vulnerable to dictionary attacks. We disable password-based

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Torbjorn Jansson
On 2018-02-11 11:54, Yousong Zhou wrote: On 9 February 2018 at 08:28, Philip Prindeville wrote: From: Philip Prindeville Allowing password logins leaves you vulnerable to dictionary attacks. We disable password-based

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-11 Thread Yousong Zhou
On 9 February 2018 at 08:28, Philip Prindeville wrote: > From: Philip Prindeville > > Allowing password logins leaves you vulnerable to dictionary > attacks. We disable password-based authentication, limiting > authentication to keys

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-10 Thread Michelle Sullivan
Paul Oranje wrote: Your aptness for seeing the possible attack vectors warrants your judgement ... Op 10 feb. 2018, om 17:07 heeft Philip Prindeville het volgende geschreven: On Feb 10, 2018, at 3:28 AM, Paul Oranje wrote: Wouldn't

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-10 Thread Michelle Sullivan
Philip Prindeville wrote: On Feb 10, 2018, at 6:03 PM, Michelle Sullivan wrote: Paul Oranje wrote: Your aptness for seeing the possible attack vectors warrants your judgement ... Op 10 feb. 2018, om 17:07 heeft Philip Prindeville

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-10 Thread Philip Prindeville
> On Feb 10, 2018, at 6:03 PM, Michelle Sullivan wrote: > > Paul Oranje wrote: >> Your aptness for seeing the possible attack vectors warrants your judgement >> ... >> >>> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville >>> het

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-10 Thread Paul Oranje
Your aptness for seeing the possible attack vectors warrants your judgement ... > Op 10 feb. 2018, om 17:07 heeft Philip Prindeville > het volgende geschreven: > > >> On Feb 10, 2018, at 3:28 AM, Paul Oranje wrote: >> >> Wouldn't it be

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-10 Thread Philip Prindeville
> On Feb 10, 2018, at 3:28 AM, Paul Oranje wrote: > > Wouldn't it be appropriate to disallow password authentication on wan only > and allow it on all networks "behind" the router? Not necessarily. That’s why UPnP is such an issue. A machine inside a firewall gets infected

Re: [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

2018-02-10 Thread Paul Oranje
Wouldn't it be appropriate to disallow password authentication on wan only and allow it on all networks "behind" the router? > Op 9 feb. 2018, om 01:28 heeft Philip Prindeville > het volgende geschreven: > > From: Philip Prindeville