WLAN and root password, remote login? (Was: Re: Request for Help on release preparation (identify packages with known security issues))

Holger Freyther zecke at selfish.org
Sat Jul 19 21:31:27 CEST 2008

On Saturday 19 July 2008 18:13:33 Werner Almesberger wrote:
> Mike (mwester) wrote:
> > Another approach would be to craft some sort of script that would
> > disable SSH logins via the wireless interface if the root password is
> > empty.  That might be really tricky; I'm not sure if SSH can do that,
> > much less dropbear.
> Just don't bring up WLAN before the a root password has been set ?

Guys, please don't make up "issues" were there are none. I can't stand this 
bikeshedding. The old thread was about looking at the software we could 
provide and has known security issues. If you are not interested in that then 
don't comment and please don't hijack threads.

If you are interested in remote login and want to do useful things. Then 
execute netstat and see which services bind on every interface. Out of my 
head these would be avahi, dropbear, qpe. Then take a look which services 
allow login. These are dropbear and qpe (again out of my head). According to 
the proposed release policy we build the distro in release mode so dropbear 
does not allow root access when no password is set (we patch dropbear in 
debug mode to allow access..). which is leaving qpe open... figure out what 
it is doing....

The facts are:
	- The image we will release has a zapped root login
	- dropbear will not allow root login
	- You will need to install a package to set a root password and allow login 
(like on other system, e.g. the Nokia tablets)

please stick to facts and happy hacking

More information about the devel mailing list