[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server
Philip Prindeville
philipp_subx at redfish-solutions.com
Sun Feb 11 08:57:56 PST 2018
Sent from my iPhone
> On Feb 11, 2018, at 4:11 AM, Torbjorn Jansson <torbjorn.jansson at mbox200.swipnet.se> wrote:
>
>> On 2018-02-11 11:54, Yousong Zhou wrote:
>> On 9 February 2018 at 08:28, Philip Prindeville
>> <philipp at redfish-solutions.com> wrote:
>>> From: Philip Prindeville <philipp at redfish-solutions.com>
>>>
>>> Allowing password logins leaves you vulnerable to dictionary
>>> attacks. We disable password-based authentication, limiting
>>> authentication to keys only which are more secure.
>>>
>>> Note: You'll need to pre-populate your image with some initial
>>> keys. To do this:
>>>
>>> 1. Create the appropriate directory as "mkdir -p files/root/.ssh"
>>> from your top-level directory;
>>> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into
>>> "files/root/.ssh/authorized_keys" and indeed, you can collect
>>> keys from several sources this way by concatenating them;
>>> 3. Set the permissions on "authorized_keys" to 644 or 640.
>>>
>> If forgetting doing this means I may need physical connection like vga
>> monitor or serial connection to "unlock" the device, very likely I
>> will hate this security enforcement... It's just the inconvenience
>> regardless of whether the said situation should happen. As a user I'd
>> like to keep this level of convenience as using password
>> authentication and turn it off when I see it appropriate.
>> yousong
>
> yes and i assume this will be a feature that is off by default, especially in images created as part of making a new release.
>
> if it is on by default in images available for download on lede/openwrt site then we have a big problem.
By default images are built using dropbear not openssh.
More information about the Lede-dev
mailing list