IMHO no password is best method until a password is set (like it was with
telnet and now with new paswordless SSH). A default password is just false
sense of security, there is none! Otherwise "encouraging" to set one and
how can be discussed...
Olmari
On Thu, Sep 10, 2015 at 3:14 AM, Ben Fransk
I'm copying this to the list because it was sent directly to me... There
are definitely many ways of "encouraging" people to change the password
which could be explored, another example is the WAN interface could be
disabled until the password is set. A few more thoughts on something
like that
A couple of thoughts on some of the discussion around this:
1) I would be a proponent of a pre-set password, SSH without a password
is very unusual behavior. I understand that there have been some
comments "Any preset password is asking for users to
leave it default." I fail to see how this is
Steven Barth wrote at Wed Sep 9 08:10:18 CEST 2015:
> Lack of entropy doesn't seem to be too much of an issue here, in fact in
failsafe mode we generate a 1024 bit RSA-key on demand which takes <2s on my
old Buffalo here. Granted its only 1024-bit but still. Now the regular keys
are 2048-bit wh
Hello Michael,
that is interesting, though I guess since these are mainly our default
it shouldn't be too hard for someone manufacturing to change the config
and readd a simple init-script for telnetd if that is really required.
Lack of entropy doesn't seem to be too much of an issue here, in fac
Il 08.09.2015 21:31 Michael Heimpold ha scritto:
I also remember that "long time ago" there were issues because of
not enough entropy available on embedded devices.
Is this still an issue? Should only delay the time when logging in is
possible, right?
The dropbearkey key generation will delay d
Am Dienstag, 8. September 2015, 10:15:52 schrieb Steven Barth:
> Hello everyone,
>
> as of https://dev.openwrt.org/changeset/46809 telnet is no longer part of
> the base images. As a replacement, it is now possible to login to the root-
> account via SSH without a password prompt whenever no root
Nak on setting a default password. The blank password has served its
purpose well for years now. Any preset password is asking for users to
leave it default. The only problem with blank ssh logins is it removes one
of the ways openwrt encouraged the user to set a password.
A banner that warns abou
Il 08.09.2015 20:34 Vittorio G (VittGam) ha scritto:
Maybe it would just be better to set the default root password to 'openwrt'
or 'insecure' or 'change_me!'?
Maybe along with a preauthentication banner that tells the user about the
default password and the fact that it should be changed as so
Il 08.09.2015 10:15 Steven Barth ha scritto:
as of https://dev.openwrt.org/changeset/46809 telnet is no longer part of
the base images. As a replacement, it is now possible to login to the root-
account via SSH without a password prompt whenever no root password is set,
e.g. after a flash without
Hello everyone,
as of https://dev.openwrt.org/changeset/46809 telnet is no longer part of
the base images. As a replacement, it is now possible to login to the root-
account via SSH without a password prompt whenever no root password is set,
e.g. after a flash without keeping config, factory reset
11 matches
Mail list logo
