[Letux-kernel] [Gta04-owner] New LetuxOS Kernels and some tricks and thoughts
Jonas Smedegaard
jonas at jones.dk
Tue May 21 20:18:02 CEST 2019
Quoting H. Nikolaus Schaller (2019-05-21 15:48:06)
> > Am 21.05.2019 um 15:13 schrieb Jonas Smedegaard <jonas at jones.dk>:
> > Quoting H. Nikolaus Schaller (2019-05-21 12:51:43)
> >>> Am 21.05.2019 um 12:26 schrieb Jonas Smedegaard <jonas at jones.dk>:
> >>> Quoting H. Nikolaus Schaller (2019-05-21 12:02:06)
> >>>>> Am 21.05.2019 um 11:00 schrieb Jonas Smedegaard
> >>>>> <jonas at jones.dk>: Quoting H. Nikolaus Schaller (2019-05-21
> >>>>> 10:22:50)
> >>>>>> BTW, here is another trick: You may (not) know that LetuxOS
> >>>>>> images created by makesd come rooted. This means you can simply
> >>>>>> ssh as root into the device without password check. This is
> >>>>>> quite helpful for developers and debugging.
> >>>>>
> >>>>> A password-less network-accesible backdoor maybe unknown to the
> >>>>> system owner sounds dangerous to me: I recommend documenting
> >>>>> that very clearly (at least) everywhere passwords are currently
> >>>>> menioned in documentation.
> >>>>
> >>>> Yes, please feel free to document it in the Wiki.
[...]
> > You really expect users to understand and document backdoors better
> > than the developers implementing them?!?
>
> No. But I am the developer and in this case you are the user - and you
> have a better understanding where this should be documented.
As quoted above, my understanding is that best place to document
backdoor access is EVERY place frontdoor access is documented and
whereever this-device-is-insecure-by-default warnings are suitable.
> >>> Suggestion: Add a notice in /etc/motd
> >>
> >> Hm. Do your ever read/see that?
> >
> > Why on Earth would I suggest it otherwise?
>
> Ok, accepted. My fault. I assumed that because I am not using that that
> it is rare that others use it.
>
> On the other hand in LetuxOS it is not enabled. And not displayed
> anywhere.
You have openssh/dropbear/tinysshd/lsh configured to not present MOTD
when users log in via ssh?
I don't mean to imply that I always carefully read the MOTD message when
logging into systems, but recommend it as one of several places for
users to _possibly_ notice that whoa, this system has unusually low
security!!!
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://lists.goldelico.com/pipermail/letux-kernel/attachments/20190521/864038e3/attachment.asc>
More information about the Letux-kernel
mailing list