The default install shouldn't allow root access to SSHd. Should force password changes to default logins and have a list of allowed SSH users. Purchasers of PI computers aren't necessarily Linux gurus.
Gary Baribault On 08/04/2012 10:12 AM, larry Cashdollar wrote: > My argument is they should prompt the user to change the password, not > provide an insecure image > With the expectations that users will secure it themselves. It maybe > obvious to us, but with a good deal > Of the audience being inexperienced users it should be part of the > install. > > > Larry C$ > > On Aug 4, 2012, at 8:55 AM, rancor <[email protected] > <mailto:[email protected]>> wrote: > >> No shit Sherlock! >> >> On Aug 4, 2012 3:38 AM, "larry Cashdollar" <[email protected] >> <mailto:[email protected]>> wrote: >> >> Vapid Labs >> Larry W. Cashdollar >> 8/2/2012 >> >> >> Since a some RaspberryPi users maybe unaware of the security >> implications of sshd I thought I should just make a note of some issues. >> >> RaspberryPi image Occidentalis v0.1 >> >> >From the site: >> >> "Adafruit <3 Raspberry Pi - especially how easy it is to hack circuits >> using the electronics breakout pins! But sadly, the latest official >> distro "July 15 Raspbian Wheezy" did not have many of the delicious >> hackables built in. That's why we decided to roll our own >> >> distribution. >> >> Our distro is based on "Wheezy" but comes with hardware SPI, I2C, one >> wire, and WiFi support for our wifi adapters. It also has >> some things to make overall hacking easier such sshd on startup (with >> key generation on first boot) and Bonjour (so you can simply >> >> ssh raspberrypi.local from any computer on the local network)" >> >> Enables ssh by default but doesn't prompt user to change root & pi >> account passwords. >> >> >> http://learn.adafruit.com/adafruit-raspberry-pi-educational-linux-distro/occidentalis-v0-dot-1 >> >> Arch Linux ARM >> >> "Arch Linux ARM is based on Arch Linux, which aims for simplicity and >> full control to the end user. Note that this distribution may not >> be suitable for beginners." >> >> Default login of root/root with sshd enabled, doesn't prompt to change >> password. >> >> >> http://downloads.raspberrypi.org/images/archlinuxarm/archlinuxarm-13-06-2012/archlinuxarm-13-06-2012.zip >> >> If your going to enabled sshd by default please prompt the user to >> change the default password upon first boot. If your going to connect >> these PIs to a network be sure to use secure passwords. >> >> >> http://vapid.dhs.org/advisories/raspberrypi_image_security.txt >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
