Re: [gpsd-dev] HOWTO: Security

[Eric S. Raymond]

Gary E. Miller <address@hidden>:
> Yo Eric!
> 
> On Tue, 24 May 2016 18:03:51 -0400
> "Eric S. Raymond" <address@hidden> wrote:
> 
> > > Or even disable password logins altogether and use ssh keys only.
> > > But that's not for the HOWTO's target audience, unfortunately.  
> > 
> > Actually ./clockbuilder --secure does exactly that.  Gary's argument
> > is that the --secure step should be done first rather than last.  It's
> > somewhat undermined by the fact that under his assumptions even that
> > isn't good enough.
> 
> I do not want the best to be the enemy of the better.  I'll settle for
> the next small improvement.

There's a simpler way.  First step becomes changing the default-user
password using a local display and keyboard, *before* the Ethernet is
plugged in.

That really is airtight, unless you choose a password that's so weak
that it's early in a rainbow table and the cracker gets lucky before
the later point where you disable password tunneling entirely.

I didn't like what you were advocating before because it increased the
number of early by-hand steps a lot without actually plugging the hole,
just narrowing it a little.  This I like better.

Interestingly enough, my wife Cathy came up with this one as I was explaining
the problem to her over dinner.  Score one for sharp Philadelphia lawyers.
-- 
                <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>

signature.asc
Description: Digital signature