Gary E. Miller <g...@rellim.com>: > Yo Eric! > > On Tue, 24 May 2016 18:03:51 -0400 > "Eric S. Raymond" <e...@thyrsus.com> wrote: > > > > Or even disable password logins altogether and use ssh keys only. > > > But that's not for the HOWTO's target audience, unfortunately. > > > > Actually ./clockbuilder --secure does exactly that. Gary's argument > > is that the --secure step should be done first rather than last. It's > > somewhat undermined by the fact that under his assumptions even that > > isn't good enough. > > I do not want the best to be the enemy of the better. I'll settle for > the next small improvement.
There's a simpler way. First step becomes changing the default-user
password using a local display and keyboard, *before* the Ethernet is
plugged in.
That really is airtight, unless you choose a password that's so weak
that it's early in a rainbow table and the cracker gets lucky before
the later point where you disable password tunneling entirely.
I didn't like what you were advocating before because it increased the
number of early by-hand steps a lot without actually plugging the hole,
just narrowing it a little. This I like better.
Interestingly enough, my wife Cathy came up with this one as I was explaining
the problem to her over dinner. Score one for sharp Philadelphia lawyers.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
signature.asc
Description: Digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
