[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Sat Feb 10 08:07:19 PST 2018

> On Feb 10, 2018, at 3:28 AM, Paul Oranje <por at oranjevos.nl> wrote:
> 
> Wouldn't it be appropriate to disallow password authentication on wan only and allow it on all networks "behind" the router?

Not necessarily.

That’s why UPnP is such an issue. A machine inside a firewall gets infected by a virus through a download or email... then the first thing the virus does is punch holes in the firewall to allow outside scans of the remaining hosts.

Allowing password logins from an infected host just means that the virus has to do slightly more work before it owns the router (ie run a password attack).

Not substantially more secure...

-Philip

> 
>> Op 9 feb. 2018, om 01:28 heeft Philip Prindeville <philipp at redfish-solutions.com> het volgende geschreven:
>> 
>> From: Philip Prindeville <philipp at redfish-solutions.com>
>> 
>> Allowing password logins leaves you vulnerable to dictionary
>> attacks.  We disable password-based authentication, limiting
>> authentication to keys only which are more secure.
>> 
>> Note: You'll need to pre-populate your image with some initial
>> keys. To do this:
>> 
>> 1. Create the appropriate directory as "mkdir -p files/root/.ssh"
>>  from your top-level directory;
>> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into
>>  "files/root/.ssh/authorized_keys" and indeed, you can collect
>>  keys from several sources this way by concatenating them;
>> 3. Set the permissions on "authorized_keys" to 644 or 640.
>> 
>> Signed-off-by: Philip Prindeville <philipp at redfish-solutions.com>
>> ---
>> net/openssh/Makefile | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>> 
>> diff --git a/net/openssh/Makefile b/net/openssh/Makefile
>> index 3a19387b0d0110fc5c25d7ffccb524a61c0588c4..7ca61f6ce6d5916016a554b4a283a874e950232c 100644
>> --- a/net/openssh/Makefile
>> +++ b/net/openssh/Makefile
>> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>> 
>> PKG_NAME:=openssh
>> PKG_VERSION:=7.6p1
>> -PKG_RELEASE:=1
>> +PKG_RELEASE:=2
>> 
>> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
>> PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
>> @@ -248,7 +248,10 @@ define Package/openssh-server/install
>>    $(INSTALL_DIR) $(1)/etc/ssh
>>    chmod 0700 $(1)/etc/ssh
>>    $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
>> -    sed -r -i 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' $(1)/etc/ssh/sshd_config
>> +    sed -r -i \
>> +        -e 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' \
>> +        -e 's,^#PasswordAuthentication yes$$$$,PasswordAuthentication no,' \
>> +        $(1)/etc/ssh/sshd_config
>>    $(INSTALL_DIR) $(1)/etc/init.d
>>    $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd
>>    $(INSTALL_DIR) $(1)/usr/sbin
>> -- 
>> 2.7.4
>> 
>> 