Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Sami Olmari wrote: >> at the moment the user *is* used to a key mismatch, because >> every box comes up with 192.168.1.1 and another key. > No need to generate another weak point just because there can be another > similar one... And, there is work at the IETF

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Bastian Bittorf wrote: >> >while we are at it: what about including default private keys for SSH >> >till the real keys are generated? it can last several minutes on some >> >routers and it feels like the box is broken. also: if really something >> >goes

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* Michael Richardson [24.12.2015 22:14]: > >> > till the real keys are generated? it can last several minutes on some > >> > routers and it feels like the box is broken. also: if really > something > >> > goes wrong during key generating we can at least login. >

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* Michael Richardson [24.12.2015 22:14]: > 2) if the user is "used" to a key mismatch, and they type their password in, >the password has just been compromised. this is indeed true for IPv6/linklocal > A better approach is that the ssh daemon should start, open port 22,

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* Michael Richardson [24.12.2015 22:14]: > 1) when the "default" key is being used, the box can be impersonated. hmmm, it can - but you need another box on the same wire with the same IP 192.168.1.1 > 2) if the user is "used" to a key mismatch, and they type their password

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Bastian Bittorf wrote: >> > while we are at it: what about including default private keys for SSH >> > till the real keys are generated? it can last several minutes on some >> > routers and it feels like the box is broken. also: if really something >> >

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Security is ultimately all about making it cost too much (of at least time, money, effort, requirements, social factors) to break in. Even so-called 'real' security vs. security in depth and security by obscurity is really on the same spectrum. That is why those who make bald statements

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

-1 to default key... > at the moment the user *is* used to a key mismatch, because > every box comes up with 192.168.1.1 and another key. No need to generate another weak point just because there can be another similar one... More general, should a bad guy have physical access to an device, be

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* Imre Kaloz [24.12.2015 21:15]: > >while we are at it: what about including default private keys for SSH > >till the real keys are generated? it can last several minutes on some > >routers and it feels like the box is broken. also: if really something > >goes wrong during key

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Daniel Dickinson wrote: > At the present time it is actually not possible to using /bin/login from > within the preinit context and therefore making passwords required during > failsafe is not currently possible. It sounds like we really need

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* John Crispin [24.12.2015 21:15]: > > while we are at it: what about including default private keys for SSH > > till the real keys are generated? it can last several minutes on some > > routers and it feels like the box is broken. also: if really something > > goes wrong

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 23/12/2015 17:32, Bastian Bittorf wrote: > * Daniel Curran-Dickinson [23.12.2015 17:27]: >> I'm implementing without mount_root - that means passwordless >> failsafe unless user has preconfigured passwords in their image. >> OTOH if they have configured passwords

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Hi Imre, On 23/12/15 07:05 AM, Imre Kaloz wrote: Hi Daniel, On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson wrote: I am reworking this (requiring console login) as couple of packages for the packages feed, although it may require an image.mk or packages

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 12/23/2015 08:54 AM, Daniel Dickinson wrote: > On 23/12/15 02:44 AM, Heinrich Schuchardt wrote: >> Hello Daniel, >> >> my TP-LINK MR3020 (AR71XX, OpenWrt 15.05) uses /dev/ttyATH0 as serial >> console . >> >> I could not find this device in the getty commands of the inittab that >> you create in

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Hi Daniel, On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson wrote: I am reworking this (requiring console login) as couple of packages for the packages feed, although it may require an image.mk or packages Makefile hook in order to embed an appropriate

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 2015-12-23 16:27, Bastian Bittorf wrote: > * Imre Kaloz [23.12.2015 16:22]: >> >I'd hate to have some corner case result in bricked routers for >> >people who have no means of recovering from a bad flash. >> >> You can reflash from the bootloader all the time, we are

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 2015-12-16 15:59, open...@daniel.thecshore.com wrote: > From: Daniel Dickinson > > Some devices like generic PC's and Raspberry Pi/Pi2 are much more trivial to > get hardware console access than a typical router scenario and therefore > really > ought to require

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* Imre Kaloz [23.12.2015 16:22]: > >I'd hate to have some corner case result in bricked routers for > >people who have no means of recovering from a bad flash. > > You can reflash from the bootloader all the time, we are talking > about userland here. IMHO this should be just

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

* Daniel Curran-Dickinson [23.12.2015 17:27]: > I'm implementing without mount_root - that means passwordless > failsafe unless user has preconfigured passwords in their image. > OTOH if they have configured passwords in their image then they will > be required. ok,

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 2015-12-24 00:38, Imre Kaloz wrote: > On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau wrote: > >> On 2015-12-23 16:27, Bastian Bittorf wrote: >>> * Imre Kaloz [23.12.2015 16:22]: >I'd hate to have some corner case result in bricked routers for

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 23/12/15 06:49 PM, Felix Fietkau wrote: On 2015-12-24 00:38, Imre Kaloz wrote: On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau wrote: On 2015-12-23 16:27, Bastian Bittorf wrote: * Imre Kaloz [23.12.2015 16:22]: I'd hate to have some corner case

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau wrote: On 2015-12-23 16:27, Bastian Bittorf wrote: * Imre Kaloz [23.12.2015 16:22]: >I'd hate to have some corner case result in bricked routers for >people who have no means of recovering from a bad

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On Wed, 23 Dec 2015 17:32:06 +0100, Bastian Bittorf wrote: * Daniel Curran-Dickinson [23.12.2015 17:27]: I'm implementing without mount_root - that means passwordless failsafe unless user has preconfigured passwords in their image. OTOH

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 23/12/2015 13:05, Imre Kaloz wrote: > Hi Daniel, > > On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson > wrote: > >> I am reworking this (requiring console login) as couple of packages >> for the packages feed, although it may require an image.mk or

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Actually once root password is set is unncessary. Busybox login with no password set allows passwordless login, so there is no issue. Regards, Daniel On 23/12/15 07:24 AM, John Crispin wrote: On 23/12/2015 13:05, Imre Kaloz wrote: Hi Daniel, On Wed, 23 Dec 2015 07:58:59 +0100, Daniel

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Hi Imre, Thanks for this! This indeed would be my preference, I just thought there wouldn't be any appetite for it on the grounds I mentioned. Before I work up a version of the patch that isn't as desirable from a security perspective, I have another concept that ought to solve the ar71xx

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

I'm inclined to make the opt-out an image generation time decision rather than configurable on the overlayfs for what I think are obvious reasons. Regards, Daniel On 23/12/15 07:24 AM, John Crispin wrote: On 23/12/2015 13:05, Imre Kaloz wrote: Hi Daniel, On Wed, 23 Dec 2015 07:58:59

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On 23/12/2015 13:32, Daniel Dickinson wrote: > I'm inclined to make the opt-out an image generation time decision > rather than configurable on the overlayfs for what I think are obvious > reasons. yep, that would be the best choice. > > Regards, > > Daniel > > On 23/12/15 07:24 AM, John

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Oh, and I think that initially this should be default off configuration option that people who are able to flash firmware via bootloader in case of getting locked out encourage to test before pushing this as default. I'd hate to have some corner case result in bricked routers for people who

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

On Wed, 23 Dec 2015 13:43:14 +0100, Daniel Dickinson wrote: Oh, and I think that initially this should be default off configuration option that people who are able to flash firmware via bootloader in case of getting locked out encourage to test before pushing

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

I am reworking this (requiring console login) as couple of packages for the packages feed, although it may require an image.mk or packages Makefile hook in order to embed an appropriate inittab into the image (since the inittab will need to be modified and we need to guarantee the correct

Re: [OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Hello Daniel, my TP-LINK MR3020 (AR71XX, OpenWrt 15.05) uses /dev/ttyATH0 as serial console . I could not find this device in the getty commands of the inittab that you create in the patch below. I would feel more comfortable having a password verification on my router. Shouldn't this be

[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

From: Daniel Dickinson Some devices like generic PC's and Raspberry Pi/Pi2 are much more trivial to get hardware console access than a typical router scenario and therefore really ought to require login even on hardware console rather than a hardware console