On 02/11/2018 11:54 AM, Yousong Zhou wrote:
On 9 February 2018 at 08:28, Philip Prindeville
<phil...@redfish-solutions.com> wrote:
From: Philip Prindeville <phil...@redfish-solutions.com>
Allowing password logins leaves you vulnerable to dictionary
attacks. We disable password-based authentication, limiting
authentication to keys only which are more secure.
Note: You'll need to pre-populate your image with some initial
keys. To do this:
1. Create the appropriate directory as "mkdir -p files/root/.ssh"
from your top-level directory;
2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into
"files/root/.ssh/authorized_keys" and indeed, you can collect
keys from several sources this way by concatenating them;
3. Set the permissions on "authorized_keys" to 644 or 640.
If forgetting doing this means I may need physical connection like vga
monitor or serial connection to "unlock" the device, very likely I
will hate this security enforcement... It's just the inconvenience
regardless of whether the said situation should happen. As a user I'd
like to keep this level of convenience as using password
authentication and turn it off when I see it appropriate.
yousong
This is the risk I also pointed out myself in the github PR about this.
Either this patch adds logic to check if there is indeed the right files
in /files
and aborts building if not found or you risks locking out yourself.
-Alberto
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
