[Letux-kernel] [Gta04-owner] New LetuxOS Kernels and some tricks and thoughts

Jonas Smedegaard jonas at jones.dk
Tue May 21 20:18:02 CEST 2019


Quoting H. Nikolaus Schaller (2019-05-21 15:48:06)
> > Am 21.05.2019 um 15:13 schrieb Jonas Smedegaard <jonas at jones.dk>: 
> > Quoting H. Nikolaus Schaller (2019-05-21 12:51:43)
> >>> Am 21.05.2019 um 12:26 schrieb Jonas Smedegaard <jonas at jones.dk>: 
> >>> Quoting H. Nikolaus Schaller (2019-05-21 12:02:06)
> >>>>> Am 21.05.2019 um 11:00 schrieb Jonas Smedegaard 
> >>>>> <jonas at jones.dk>: Quoting H. Nikolaus Schaller (2019-05-21 
> >>>>> 10:22:50)
> >>>>>> BTW, here is another trick: You may (not) know that LetuxOS 
> >>>>>> images created by makesd come rooted. This means you can simply 
> >>>>>> ssh as root into the device without password check. This is 
> >>>>>> quite helpful for developers and debugging.
> >>>>> 
> >>>>> A password-less network-accesible backdoor maybe unknown to the 
> >>>>> system owner sounds dangerous to me: I recommend documenting 
> >>>>> that very clearly (at least) everywhere passwords are currently 
> >>>>> menioned in documentation.
> >>>> 
> >>>> Yes, please feel free to document it in the Wiki.
[...]
> > You really expect users to understand and document backdoors better 
> > than the developers implementing them?!?
> 
> No. But I am the developer and in this case you are the user - and you 
> have a better understanding where this should be documented.

As quoted above, my understanding is that best place to document 
backdoor access is EVERY place frontdoor access is documented and 
whereever this-device-is-insecure-by-default warnings are suitable.


> >>> Suggestion: Add a notice in /etc/motd
> >> 
> >> Hm. Do your ever read/see that?
> > 
> > Why on Earth would I suggest it otherwise?
> 
> Ok, accepted. My fault. I assumed that because I am not using that that
> it is rare that others use it.
> 
> On the other hand in LetuxOS it is not enabled. And not displayed 
> anywhere.

You have openssh/dropbear/tinysshd/lsh configured to not present MOTD 
when users log in via ssh?

I don't mean to imply that I always carefully read the MOTD message when 
logging into systems, but recommend it as one of several places for 
users to _possibly_ notice that whoa, this system has unusually low 
security!!!


 - Jonas 

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://lists.goldelico.com/pipermail/letux-kernel/attachments/20190521/864038e3/attachment.asc>


More information about the Letux-kernel mailing list