WLAN and root password, remote login? (Was: Re: Request for Help on release preparation (identify packages with known security issues))
Holger Freyther
zecke at selfish.org
Sat Jul 19 21:31:27 CEST 2008
On Saturday 19 July 2008 18:13:33 Werner Almesberger wrote:
> Mike (mwester) wrote:
> > Another approach would be to craft some sort of script that would
> > disable SSH logins via the wireless interface if the root password is
> > empty. That might be really tricky; I'm not sure if SSH can do that,
> > much less dropbear.
>
> Just don't bring up WLAN before the a root password has been set ?
Guys, please don't make up "issues" were there are none. I can't stand this
bikeshedding. The old thread was about looking at the software we could
provide and has known security issues. If you are not interested in that then
don't comment and please don't hijack threads.
If you are interested in remote login and want to do useful things. Then
execute netstat and see which services bind on every interface. Out of my
head these would be avahi, dropbear, qpe. Then take a look which services
allow login. These are dropbear and qpe (again out of my head). According to
the proposed release policy we build the distro in release mode so dropbear
does not allow root access when no password is set (we patch dropbear in
debug mode to allow access..). which is leaving qpe open... figure out what
it is doing....
The facts are:
- The image we will release has a zapped root login
- dropbear will not allow root login
- You will need to install a package to set a root password and allow login
(like on other system, e.g. the Nokia tablets)
please stick to facts and happy hacking
z.
More information about the devel
mailing list