[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Feb 11 09:03:51 PST 2018



> On Feb 11, 2018, at 3:54 AM, Yousong Zhou <yszhou4tech at gmail.com> wrote:
> 
> On 9 February 2018 at 08:28, Philip Prindeville
> <philipp at redfish-solutions.com> wrote:
>> From: Philip Prindeville <philipp at redfish-solutions.com>
>> 
>> Allowing password logins leaves you vulnerable to dictionary
>> attacks.  We disable password-based authentication, limiting
>> authentication to keys only which are more secure.
>> 
>> Note: You'll need to pre-populate your image with some initial
>> keys. To do this:
>> 
>> 1. Create the appropriate directory as "mkdir -p files/root/.ssh"
>>  from your top-level directory;
>> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into
>>  "files/root/.ssh/authorized_keys" and indeed, you can collect
>>  keys from several sources this way by concatenating them;
>> 3. Set the permissions on "authorized_keys" to 644 or 640.
>> 
> 
> If forgetting doing this means I may need physical connection like vga
> monitor or serial connection to "unlock" the device, very likely I
> will hate this security enforcement...  It's just the inconvenience
> regardless of whether the said situation should happen.  As a user I'd
> like to keep this level of convenience as using password
> authentication and turn it off when I see it appropriate.
> 
>               yousong


I originally did it as a Config setting which modified the config file at build-time (PR #5520) but this was vetoed.

Personally I thought allowing everyone to crank down the system as much as they saw appropriate was the best solution.

-Philip


More information about the Lede-dev mailing list