Re: [gpsd-dev] HOWTO: Security

[Gary E. Miller]

Yo Eric!

On Tue, 24 May 2016 18:03:51 -0400
"Eric S. Raymond" <address@hidden> wrote:

> > Or even disable password logins altogether and use ssh keys only.
> > But that's not for the HOWTO's target audience, unfortunately.  
> 
> Actually ./clockbuilder --secure does exactly that.  Gary's argument
> is that the --secure step should be done first rather than last.  It's
> somewhat undermined by the fact that under his assumptions even that
> isn't good enough.

I do not want the best to be the enemy of the better.  I'll settle for
the next small improvement.

I admit to have a sore spot on getting a good password in first.  I have
seen many times a box hacked by a default passwword before people get to
the end of an install procedure to change it.  In one case I watched
the same team, doing the same install, over and over again, and getting
hacked each time.  They spent a full day on a 30 min procedure and
never completed.

My own host logs, for today, shows some hours of 3 or more attempts on
user pi.   So, if the entire install procedure takes 30 mins, there is
a pretty good chance that pi gets hacked before the password chage at the
end.

Fool me once, shame on you, fool me twice, shame on me.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        address@hidden  Tel:+1 541 382 8588

pgprmm5SCropJ.pgp
Description: OpenPGP digital signature