> On Feb 10, 2018, at 3:28 AM, Paul Oranje <p...@oranjevos.nl> wrote: > > Wouldn't it be appropriate to disallow password authentication on wan only > and allow it on all networks "behind" the router?
Not necessarily. That’s why UPnP is such an issue. A machine inside a firewall gets infected by a virus through a download or email... then the first thing the virus does is punch holes in the firewall to allow outside scans of the remaining hosts. Allowing password logins from an infected host just means that the virus has to do slightly more work before it owns the router (ie run a password attack). Not substantially more secure... -Philip > >> Op 9 feb. 2018, om 01:28 heeft Philip Prindeville >> <phil...@redfish-solutions.com> het volgende geschreven: >> >> From: Philip Prindeville <phil...@redfish-solutions.com> >> >> Allowing password logins leaves you vulnerable to dictionary >> attacks. We disable password-based authentication, limiting >> authentication to keys only which are more secure. >> >> Note: You'll need to pre-populate your image with some initial >> keys. To do this: >> >> 1. Create the appropriate directory as "mkdir -p files/root/.ssh" >> from your top-level directory; >> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into >> "files/root/.ssh/authorized_keys" and indeed, you can collect >> keys from several sources this way by concatenating them; >> 3. Set the permissions on "authorized_keys" to 644 or 640. >> >> Signed-off-by: Philip Prindeville <phil...@redfish-solutions.com> >> --- >> net/openssh/Makefile | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> >> diff --git a/net/openssh/Makefile b/net/openssh/Makefile >> index >> 3a19387b0d0110fc5c25d7ffccb524a61c0588c4..7ca61f6ce6d5916016a554b4a283a874e950232c >> 100644 >> --- a/net/openssh/Makefile >> +++ b/net/openssh/Makefile >> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk >> >> PKG_NAME:=openssh >> PKG_VERSION:=7.6p1 >> -PKG_RELEASE:=1 >> +PKG_RELEASE:=2 >> >> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz >> PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ >> @@ -248,7 +248,10 @@ define Package/openssh-server/install >> $(INSTALL_DIR) $(1)/etc/ssh >> chmod 0700 $(1)/etc/ssh >> $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ >> - sed -r -i 's,^#(HostKey >> /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' $(1)/etc/ssh/sshd_config >> + sed -r -i \ >> + -e 's,^#(HostKey >> /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' \ >> + -e 's,^#PasswordAuthentication yes$$$$,PasswordAuthentication no,' \ >> + $(1)/etc/ssh/sshd_config >> $(INSTALL_DIR) $(1)/etc/init.d >> $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd >> $(INSTALL_DIR) $(1)/usr/sbin >> -- >> 2.7.4 >> >> _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
