[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Magnus Kroken mkroken at gmail.com
Wed Feb 14 14:00:27 PST 2018


On 14.02.2018 22.13, Michelle Sullivan wrote:
> FWIW, I had misunderstood the intent of the original comments... OpenSSH
> server vs Dropbear - if someone is using OpenSSH server they already
> went in with advanced config as Dropbear is the default - I'd err on the
> side of security as they should already know what they are doing....  it
> should be recoverable by webinterface though (rather than worrying about
> people 'fixing' by using something not secure.)

The opposite argument applies equally well IMO: they already know what 
they are doing, they should know how to allow key authentication only if 
they want that.

Consider a scenario where a user builds an image with OpenSSH, without 
Dropbear (because they have OpenSSH), and without a web interface 
(because they want to save space). This is easily done by selecting and 
deselecting packages in menuconfig/imagebuilder, no custom files needed 
today. With this change, if the image is missing authorized_keys, the 
only way to log in is serial console (failsafe will be locked out too), 
which requires soldering - or using bootloader recovery features, which 
may also require soldering and aren't consistently documented.

This is just about the default configuration, it's not a choice between 
conflicting compile time options with varying security implications. 
While key authentication may be best practice, allowing SSH password 
logins isn't on the level of reimplementing LuCI in PHP 4. The change is 
*literally* a handful of sed commands, why can't advanced users take 
care of that themselves? Why do we want to make it easier to build a 
soft-bricking image than it is today?

How about adding a configuration flag to menuconfig for OpenSSH, which 
runs said sed commands if the flag is set (disabled by default, for the 
reasons above). It makes it easier to set for those who want it, and it 
will also be saved in a diffconfig output if they set that.

Regards
/Magnus



More information about the Lede-dev mailing list