Ticket #1853 (closed enhancement: fixed)
Enhancement: improve dropbear security by listening only on usb0 by default
| Reported by: | RuiSeabra | Owned by: | julian_chu |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Distro | Version: | |
| Severity: | blocker | Keywords: | dropbear security haspatch HasPatch |
| Cc: | julian_chu@… | Blocked By: | |
| Blocking: | Estimated Completion (week): | ||
| HasPatchForReview: | PatchReviewResult: | ||
| Reproducible: | always |
Description
Letting ssh listen on 0.0.0.0:22 may be hazardous if you connect to wifi links, and seldom will you need to access dropbear from wifi unless you know what you're doing.
If you know what you're doing, you can easily change dropbear to go back to an insecure default.
A clever usage of awk in the init script will dynamically fetch usb0's address thus reducing the risk of the default.
Attachments
Change History
Changed 5 years ago by RuiSeabra
- Attachment secure_listen.patch added
comment:1 Changed 5 years ago by RuiSeabra
I'm sorry if I'm not clear enough, that's a patch for /etc/init.d/dropbear
comment:2 Changed 5 years ago by RuiSeabra
This will probably also save a tiny amount of battery by reducing the interfaces it has to poll.
comment:3 Changed 5 years ago by zecke
- Cc julian_chu@… added
- Keywords HasPatch added
Julian please take a look and maybe even move these config values to /etc/default/dropbear and mark that file as conffile.
comment:4 Changed 5 years ago by zecke
- Owner changed from openmoko-kernel to julian_chu
- Component changed from System Software to Distro
comment:5 Changed 5 years ago by john_lee
- Status changed from new to in_testing
make it conffile /etc/default/dropbear for openmoko distro
commited as 5eb58fb8930b17f4327d64c220c5b23e4912a4a7
patch to reduce dropbear default ssh listening address