[FS#1244] dropbear blank password issue
LEDE Bugs
lede-bugs at lists.infradead.org
Tue Dec 26 08:32:16 PST 2017
A new Flyspray task has been opened. Details are below.
User who did this - Alexey Kuznetsov (axet)
Attached to Project - LEDE Project
Summary - dropbear blank password issue
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - Hello! I moved from openwrt to lede and got hacked. Seems like lede allows blank passwords for root for 'wan' interface by default. My fault. But by default blank should not be allowed for 'wan' interface s which is default for all ssh installations.
I've checked dropbear source and found '-B' option which is disabled by default. Not sure what is happening with lede. So, I post this issue.
I would suggest following default config for **/etc/config/dropbear**
config dropbear
option AllowBlankPass 'on'
option PasswordAuth 'on'
option Port '22'
option Interface 'lan'
config dropbear
option AllowBlankPass 'off'
option PasswordAuth 'on'
option Interface 'wan'
option Port '22'
And few changes to /etc/init.d/dropbear script with new AllowBlankPass == "-B" option.
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1244
More information about the lede-bugs
mailing list