> On Feb 11, 2018, at 3:54 AM, Yousong Zhou <yszhou4t...@gmail.com> wrote: > > On 9 February 2018 at 08:28, Philip Prindeville > <phil...@redfish-solutions.com> wrote: >> From: Philip Prindeville <phil...@redfish-solutions.com> >> >> Allowing password logins leaves you vulnerable to dictionary >> attacks. We disable password-based authentication, limiting >> authentication to keys only which are more secure. >> >> Note: You'll need to pre-populate your image with some initial >> keys. To do this: >> >> 1. Create the appropriate directory as "mkdir -p files/root/.ssh" >> from your top-level directory; >> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into >> "files/root/.ssh/authorized_keys" and indeed, you can collect >> keys from several sources this way by concatenating them; >> 3. Set the permissions on "authorized_keys" to 644 or 640. >> > > If forgetting doing this means I may need physical connection like vga > monitor or serial connection to "unlock" the device, very likely I > will hate this security enforcement... It's just the inconvenience > regardless of whether the said situation should happen. As a user I'd > like to keep this level of convenience as using password > authentication and turn it off when I see it appropriate. > > yousong
I originally did it as a Config setting which modified the config file at build-time (PR #5520) but this was vetoed. Personally I thought allowing everyone to crank down the system as much as they saw appropriate was the best solution. -Philip _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
