Sami Olmari wrote:
>> at the moment the user *is* used to a key mismatch, because
>> every box comes up with 192.168.1.1 and another key.
> No need to generate another weak point just because there can be another
> similar one...
And, there is work at the IETF
Bastian Bittorf wrote:
>> >while we are at it: what about including default private keys for SSH
>> >till the real keys are generated? it can last several minutes on some
>> >routers and it feels like the box is broken. also: if really something
>> >goes
* Michael Richardson [24.12.2015 22:14]:
> >> > till the real keys are generated? it can last several minutes on some
> >> > routers and it feels like the box is broken. also: if really
> something
> >> > goes wrong during key generating we can at least login.
>
* Michael Richardson [24.12.2015 22:14]:
> 2) if the user is "used" to a key mismatch, and they type their password in,
>the password has just been compromised.
this is indeed true for IPv6/linklocal
> A better approach is that the ssh daemon should start, open port 22,
* Michael Richardson [24.12.2015 22:14]:
> 1) when the "default" key is being used, the box can be impersonated.
hmmm, it can - but you need another box on the same wire
with the same IP 192.168.1.1
> 2) if the user is "used" to a key mismatch, and they type their password
Bastian Bittorf wrote:
>> > while we are at it: what about including default private keys for SSH
>> > till the real keys are generated? it can last several minutes on some
>> > routers and it feels like the box is broken. also: if really something
>> >
Security is ultimately all about making it cost too much (of at least
time, money, effort, requirements, social factors) to break in. Even
so-called 'real' security vs. security in depth and security by
obscurity is really on the same spectrum.
That is why those who make bald statements
-1 to default key...
> at the moment the user *is* used to a key mismatch, because
> every box comes up with 192.168.1.1 and another key.
No need to generate another weak point just because there can be another
similar one...
More general, should a bad guy have physical access to an device, be
* Imre Kaloz [24.12.2015 21:15]:
> >while we are at it: what about including default private keys for SSH
> >till the real keys are generated? it can last several minutes on some
> >routers and it feels like the box is broken. also: if really something
> >goes wrong during key
Daniel Dickinson wrote:
> At the present time it is actually not possible to using /bin/login from
> within the preinit context and therefore making passwords required during
> failsafe is not currently possible.
It sounds like we really need
* John Crispin [24.12.2015 21:15]:
> > while we are at it: what about including default private keys for SSH
> > till the real keys are generated? it can last several minutes on some
> > routers and it feels like the box is broken. also: if really something
> > goes wrong
On 23/12/2015 17:32, Bastian Bittorf wrote:
> * Daniel Curran-Dickinson [23.12.2015 17:27]:
>> I'm implementing without mount_root - that means passwordless
>> failsafe unless user has preconfigured passwords in their image.
>> OTOH if they have configured passwords
Hi Imre,
On 23/12/15 07:05 AM, Imre Kaloz wrote:
Hi Daniel,
On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson
wrote:
I am reworking this (requiring console login) as couple of packages
for the packages feed, although it may require an image.mk or packages
On 12/23/2015 08:54 AM, Daniel Dickinson wrote:
> On 23/12/15 02:44 AM, Heinrich Schuchardt wrote:
>> Hello Daniel,
>>
>> my TP-LINK MR3020 (AR71XX, OpenWrt 15.05) uses /dev/ttyATH0 as serial
>> console .
>>
>> I could not find this device in the getty commands of the inittab that
>> you create in
Hi Daniel,
On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson
wrote:
I am reworking this (requiring console login) as couple of packages for
the packages feed, although it may require an image.mk or packages
Makefile hook in order to embed an appropriate
On 2015-12-23 16:27, Bastian Bittorf wrote:
> * Imre Kaloz [23.12.2015 16:22]:
>> >I'd hate to have some corner case result in bricked routers for
>> >people who have no means of recovering from a bad flash.
>>
>> You can reflash from the bootloader all the time, we are
On 2015-12-16 15:59, open...@daniel.thecshore.com wrote:
> From: Daniel Dickinson
>
> Some devices like generic PC's and Raspberry Pi/Pi2 are much more trivial to
> get hardware console access than a typical router scenario and therefore
> really
> ought to require
* Imre Kaloz [23.12.2015 16:22]:
> >I'd hate to have some corner case result in bricked routers for
> >people who have no means of recovering from a bad flash.
>
> You can reflash from the bootloader all the time, we are talking
> about userland here. IMHO this should be just
* Daniel Curran-Dickinson [23.12.2015 17:27]:
> I'm implementing without mount_root - that means passwordless
> failsafe unless user has preconfigured passwords in their image.
> OTOH if they have configured passwords in their image then they will
> be required.
ok,
On 2015-12-24 00:38, Imre Kaloz wrote:
> On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau wrote:
>
>> On 2015-12-23 16:27, Bastian Bittorf wrote:
>>> * Imre Kaloz [23.12.2015 16:22]:
>I'd hate to have some corner case result in bricked routers for
On 23/12/15 06:49 PM, Felix Fietkau wrote:
On 2015-12-24 00:38, Imre Kaloz wrote:
On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau wrote:
On 2015-12-23 16:27, Bastian Bittorf wrote:
* Imre Kaloz [23.12.2015 16:22]:
I'd hate to have some corner case
On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau wrote:
On 2015-12-23 16:27, Bastian Bittorf wrote:
* Imre Kaloz [23.12.2015 16:22]:
>I'd hate to have some corner case result in bricked routers for
>people who have no means of recovering from a bad
On Wed, 23 Dec 2015 17:32:06 +0100, Bastian Bittorf
wrote:
* Daniel Curran-Dickinson [23.12.2015
17:27]:
I'm implementing without mount_root - that means passwordless
failsafe unless user has preconfigured passwords in their image.
OTOH
On 23/12/2015 13:05, Imre Kaloz wrote:
> Hi Daniel,
>
> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson
> wrote:
>
>> I am reworking this (requiring console login) as couple of packages
>> for the packages feed, although it may require an image.mk or
Actually once root password is set is unncessary. Busybox login with no
password set allows passwordless login, so there is no issue.
Regards,
Daniel
On 23/12/15 07:24 AM, John Crispin wrote:
On 23/12/2015 13:05, Imre Kaloz wrote:
Hi Daniel,
On Wed, 23 Dec 2015 07:58:59 +0100, Daniel
Hi Imre,
Thanks for this! This indeed would be my preference, I just thought
there wouldn't be any appetite for it on the grounds I mentioned. Before
I work up a version of the patch that isn't as desirable from a security
perspective, I have another concept that ought to solve the ar71xx
I'm inclined to make the opt-out an image generation time decision
rather than configurable on the overlayfs for what I think are obvious
reasons.
Regards,
Daniel
On 23/12/15 07:24 AM, John Crispin wrote:
On 23/12/2015 13:05, Imre Kaloz wrote:
Hi Daniel,
On Wed, 23 Dec 2015 07:58:59
On 23/12/2015 13:32, Daniel Dickinson wrote:
> I'm inclined to make the opt-out an image generation time decision
> rather than configurable on the overlayfs for what I think are obvious
> reasons.
yep, that would be the best choice.
>
> Regards,
>
> Daniel
>
> On 23/12/15 07:24 AM, John
Oh, and I think that initially this should be default off configuration
option that people who are able to flash firmware via bootloader in case
of getting locked out encourage to test before pushing this as default.
I'd hate to have some corner case result in bricked routers for people
who
On Wed, 23 Dec 2015 13:43:14 +0100, Daniel Dickinson
wrote:
Oh, and I think that initially this should be default off configuration
option that people who are able to flash firmware via bootloader in case
of getting locked out encourage to test before pushing
I am reworking this (requiring console login) as couple of packages for
the packages feed, although it may require an image.mk or packages
Makefile hook in order to embed an appropriate inittab into the image
(since the inittab will need to be modified and we need to guarantee the
correct
Hello Daniel,
my TP-LINK MR3020 (AR71XX, OpenWrt 15.05) uses /dev/ttyATH0 as serial
console .
I could not find this device in the getty commands of the inittab that
you create in the patch below.
I would feel more comfortable having a password verification on my
router. Shouldn't this be
From: Daniel Dickinson
Some devices like generic PC's and Raspberry Pi/Pi2 are much more trivial to
get hardware console access than a typical router scenario and therefore really
ought to require login even on hardware console rather than a hardware console
33 matches
Mail list logo