Comments (10)
For my understanding the firmware should run without setting any root password. So disabling any ssh access by default and only activate it when the user is settings a password in configmode.
Furthermore it would be nice to allow to set a ssh key instead of using a password.
from gluon.
Is it enough to disable telnet and uhttpd by default, or should there be firewall rules that ensure they aren't reachable from the mesh when they are enabled by the node operator?
Considering there is no way to safely login to uhttpd through the mesh (as we don't provide HTTPS support) it should probably be blocked anyways, so going with the firewall rules might be the best solution.
from gluon.
I think it's enough to disable telnet. SSH won't allow logins when no password is set.
I'll tweak expertmode (part of configmode requiring login) to not allow logins at all when no password is set so that it can only be reached from configmode. If the owner decides to enabled uhttpd during normal operation and set a password that's fine with me as it's their own responsibility.
from gluon.
I strongly oppose allowing access to the config mode/Luci during normal operation even when a password is set as it is inherently insecure (especially so in our bridged network setup).
from gluon.
After some testing, I think it would be best to lock the root account to ensure no login is possible without explicitly setting a password. This also gets rid of the annoying "There is no password set on this router. Please configure a root password to protect the web interface and enable SSH." message in the config mode.
If noone is opposed to this solution, I'll take care of it.
from gluon.
Will it still be possible to access the node via telnet (without password) when in configmode?
from gluon.
Yes, with a little change to the telnet command that's no problem.
from gluon.
Hmm, I'm currently pondering about where to put the account locking.
Places where it makes sense:
- gluon-core: ensures that the root account is always locked unless a password is set
- gluon-config-mode: allows accessing the node and setting a password in a secure way
The question is: what is the correct behaviour when we build gluon without the config mode?
- If we lock the account in gluon-core, we have no means to access the mode at all (besides failsafe mode), unless another (not yet existing package) allows setting a password
- If we lock the account in gluon-config-mode, we have an unlocked root user, which is potentially a security issue (we might add firewall rules though, but what are the right rules here?)
I'm slightly in favour of option 1., with a "don't to that then" solution to the gluon-without-config-mode issue
from gluon.
I'd prefer a behaviour that does not depend on the gluon-config-mode. So that's 1. However, there are valid use cases where one might deploy an image without gluon-config-mode (say a larger installation or even a Nook-firmware) but where SSH access is still desirable. Going through failsafe mode would be a hassle.
So, what about adding a gluon-lock-password package? In future versions we could extend it to deploy SSH keys or set a fixed root password.
from gluon.
I like that solution.
from gluon.
Related Issues (20)
- VLAN configuration >= v2022.1.4 HOT 10
- v2023.2: Status page broken, no IP shown on map HOT 8
- explain site.conf signature pubkeys in docs HOT 1
- mpc85xx-p1020: Enterasys WS-AP3710i devices do not boot
- OM2P fails to boot (Upgrade v2021.1 > v2023.1)
- mt7621: support TP-Link Archer AX23 / AX1800
- fix issue that causes dnsmasq log spam HOT 2
- Ubiquiti ERX config mode not indicated by LEDs HOT 5
- python3-distutils support ends that is a requirement for gluon Build (since Python 3.12) HOT 2
- v2023.2.x: ramips-mt7620: archer-c20i: config lost HOT 6
- Proposal: Rename development branch from master to main HOT 7
- DSA interface name overlap: wan1 could be ethernet or private wifi HOT 2
- Please add Support for Xiaomi MI Router 4a Gigabit Edition v2 HOT 4
- Please add hardware support for Netgear EX6130 with target ramips-mt7620 HOT 2
- mediatek-filogic: weird tq on wr3000 - wifi instability after few minutes HOT 5
- image-customization: add is_cellular_device and is_outdoor_device HOT 3
- device not leaving config mode: Too few erase blocks HOT 1
- node monitoring: report errors through respondd HOT 1
- config mode: warn if install is fresh but config hasn't been wiped
- Mesh on wan on vlan HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gluon.