[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Sat Feb 10 15:08:49 PST 2018

Your aptness for seeing the possible attack vectors warrants your judgement ...

> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville <philipp_subx at redfish-solutions.com> het volgende geschreven:
> 
> 
>> On Feb 10, 2018, at 3:28 AM, Paul Oranje <por at oranjevos.nl> wrote:
>> 
>> Wouldn't it be appropriate to disallow password authentication on wan only and allow it on all networks "behind" the router?
> 
> Not necessarily.
> 
> That’s why UPnP is such an issue. A machine inside a firewall gets infected by a virus through a download or email... then the first thing the virus does is punch holes in the firewall to allow outside scans of the remaining hosts.
> 
> Allowing password logins from an infected host just means that the virus has to do slightly more work before it owns the router (ie run a password attack).
> 
> Not substantially more secure...
> 
> -Philip
> 
>> 
>>> Op 9 feb. 2018, om 01:28 heeft Philip Prindeville <philipp at redfish-solutions.com> het volgende geschreven:
>>> 
>>> From: Philip Prindeville <philipp at redfish-solutions.com>
>>> 
>>> Allowing password logins leaves you vulnerable to dictionary
>>> attacks.  We disable password-based authentication, limiting
>>> authentication to keys only which are more secure.
>>> 
>>> Note: You'll need to pre-populate your image with some initial
>>> keys. To do this:
>>> 
>>> 1. Create the appropriate directory as "mkdir -p files/root/.ssh"
>>> from your top-level directory;
>>> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into
>>> "files/root/.ssh/authorized_keys" and indeed, you can collect
>>> keys from several sources this way by concatenating them;
>>> 3. Set the permissions on "authorized_keys" to 644 or 640.
>>> 
>>> Signed-off-by: Philip Prindeville <philipp at redfish-solutions.com>
>>> ---
>>> net/openssh/Makefile | 7 +++++--
>>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>> 
>>> diff --git a/net/openssh/Makefile b/net/openssh/Makefile
>>> index 3a19387b0d0110fc5c25d7ffccb524a61c0588c4..7ca61f6ce6d5916016a554b4a283a874e950232c 100644
>>> --- a/net/openssh/Makefile
>>> +++ b/net/openssh/Makefile
>>> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>>> 
>>> PKG_NAME:=openssh
>>> PKG_VERSION:=7.6p1
>>> -PKG_RELEASE:=1
>>> +PKG_RELEASE:=2
>>> 
>>> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
>>> PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
>>> @@ -248,7 +248,10 @@ define Package/openssh-server/install
>>>   $(INSTALL_DIR) $(1)/etc/ssh
>>>   chmod 0700 $(1)/etc/ssh
>>>   $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
>>> -    sed -r -i 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' $(1)/etc/ssh/sshd_config
>>> +    sed -r -i \
>>> +        -e 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' \
>>> +        -e 's,^#PasswordAuthentication yes$$$$,PasswordAuthentication no,' \
>>> +        $(1)/etc/ssh/sshd_config
>>>   $(INSTALL_DIR) $(1)/etc/init.d
>>>   $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd
>>>   $(INSTALL_DIR) $(1)/usr/sbin
>>> -- 
>>> 2.7.4
>>> 
>>> 
> 
> 
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev