On 2020-10-09 14:33, abnoeh wrote:
20. 10. 9. 오후 8:29에 Bas Mevissen 이(가) 쓴 글:
So I think it is reasonably safe to do the initial setup over HTTP
(without the "S") at the first boot if there are no certificates
available from a previous OpenWRT install. Then the user can setup the
WAN side if needed and upload (from local PC), generate (self-signed)
or acquire (e.g. Let's Encrypt) the certificates for Luci. After that,
the connection is switched to HTTPS and HTTP switched off.
The only issue I see, is how to transfer admin, WAN and WiFi passwords
at first boot in a secure way. Even though the user/admin should be
alone on the connection, sending those unencrypted over the line is
not desirable. Maybe those can be encrypted using client side
javascript.
For things with USB port, firstboot loader script from load ssh
autorized key/root password from usb drive and/or export script they
when there is '.whoareyou' file touched in usb drive write it's ssh
host
key and it's self signed certificate into the usb drive? I think later
can be part of hotplug.d script.
Nice idea to be able to auto-load the config including key material.
Might be very useful for larger installs.
The challenges IMHO are being able to safely retain previously
installed certificates over OpenWRT reflashes/upgrades and having user
friendly tools to get new certificates uploaded, generated or
acquired. For the latter part, some configurable service to
periodically download and install certificates from an external host
might be desirable (that's how I do it with my NAS boxes at home).
for sysupgrade, like save config option, add new save-keys option that
only save dropbear key and uhttpd certs?
Nice idea to save SSH server keys as well. That will avoid warnings when
connecting to the new box (at the same IP) for the first time.
Obviously, one needs to be careful with plain text private keys and
certs.
Cheers,
Bas.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
