[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices
Bastian Bittorf
bittorf at bluebottle.com
Thu Dec 24 16:33:14 EST 2015
* Michael Richardson <mcr at sandelman.ca> [24.12.2015 22:14]:
> >> > till the real keys are generated? it can last several minutes on some
> >> > routers and it feels like the box is broken. also: if really something
> >> > goes wrong during key generating we can at least login.
> >>
> >> you have a very bizarre understanding of securing a device.
>
> > in this stage the box is still without password.
>
> okay. So the impersonator machine lets the user in without a password, and
> the impersonator machine has ALREADY connected to the new machine with no
> password, and trojan'ed some binaries.
yes, if somebody wants to upload some binaries it's possible.
> > the only issue i can think of is, that one can
> > read on the wire to which password somebody changes
> > with 'passwd' - but i'am pretty sure this is not
> > the case, because each session has it's own privacy.
>
> No, since the impersonator (MITM) has involved itself with the session.
> Effectively, the MITM creates:
>
> ssh mitm 'tee /badguy | ssh target'
>
> (but, bidirectionally, and inside the SSH transport layer)
>
> A new ICMP port-unreachable code would be nice to have here.
interesting idea, but this is also possible with the current
approach. the user has to accept a new unknown key and has no
idea from which box it comes from.
but really, this is really hypothetical - normally you have
1 box on your desk and you are connected via wire to it. what
is your usecase?
bye, bastian
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list