[gpsd-dev] HOWTO: Security
Eric S. Raymond
esr at thyrsus.com
Tue May 24 22:49:29 UTC 2016
Gary E. Miller <gem at rellim.com>:
> Yo Eric!
>
> On Tue, 24 May 2016 18:03:51 -0400
> "Eric S. Raymond" <esr at thyrsus.com> wrote:
>
> > > Or even disable password logins altogether and use ssh keys only.
> > > But that's not for the HOWTO's target audience, unfortunately.
> >
> > Actually ./clockbuilder --secure does exactly that. Gary's argument
> > is that the --secure step should be done first rather than last. It's
> > somewhat undermined by the fact that under his assumptions even that
> > isn't good enough.
>
> I do not want the best to be the enemy of the better. I'll settle for
> the next small improvement.
There's a simpler way. First step becomes changing the default-user
password using a local display and keyboard, *before* the Ethernet is
plugged in.
That really is airtight, unless you choose a password that's so weak
that it's early in a rainbow table and the cracker gets lucky before
the later point where you disable password tunneling entirely.
I didn't like what you were advocating before because it increased the
number of early by-hand steps a lot without actually plugging the hole,
just narrowing it a little. This I like better.
Interestingly enough, my wife Cathy came up with this one as I was explaining
the problem to her over dinner. Score one for sharp Philadelphia lawyers.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.ntpsec.org/pipermail/devel/attachments/20160524/e2347dbc/attachment.bin>
More information about the devel
mailing list