[gpsd-dev] HOWTO: Security

Gary E. Miller gem at rellim.com
Tue May 24 22:13:31 UTC 2016


Yo Eric!

On Tue, 24 May 2016 18:03:51 -0400
"Eric S. Raymond" <esr at thyrsus.com> wrote:

> > Or even disable password logins altogether and use ssh keys only.
> > But that's not for the HOWTO's target audience, unfortunately.  
> 
> Actually ./clockbuilder --secure does exactly that.  Gary's argument
> is that the --secure step should be done first rather than last.  It's
> somewhat undermined by the fact that under his assumptions even that
> isn't good enough.

I do not want the best to be the enemy of the better.  I'll settle for
the next small improvement.

I admit to have a sore spot on getting a good password in first.  I have
seen many times a box hacked by a default passwword before people get to
the end of an install procedure to change it.  In one case I watched
the same team, doing the same install, over and over again, and getting
hacked each time.  They spent a full day on a 30 min procedure and
never completed.

My own host logs, for today, shows some hours of 3 or more attempts on
user pi.   So, if the entire install procedure takes 30 mins, there is
a pretty good chance that pi gets hacked before the password chage at the
end.

Fool me once, shame on you, fool me twice, shame on me.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntpsec.org/pipermail/devel/attachments/20160524/7aea1c09/attachment.bin>


More information about the devel mailing list