Modify

Opened 7 years ago

Last modified 4 years ago

#8760 accepted enhancement

disable telnet if an SSH public key for root exists

Reported by: steelman Owned by: nico
Priority: normal Milestone: Chaos Calmer 15.05
Component: base system Version: Backfire 10.03
Keywords: telnet ssh Cc: stlman@…

Description

/etc/init.d/telnet startup script disables telnetd if the password for root account's been set. This patch makes it check for root's public SSH key and disables telnet if it finds one.

Putting public root's key on squashfs makes a router sealed from start without making it necessary to keep the firmware image secret.

Attachments (2)

telnet-has_root.diff (615 bytes) - added by steelman 7 years ago.
do not start telnet if there are SSH keys
telnet-has_root.2.diff (755 bytes) - added by steelman <stlman@…> 7 years ago.
check if ssh server is actually enabled

Download all attachments as: .zip

Change History (10)

Changed 7 years ago by steelman

do not start telnet if there are SSH keys

comment:1 Changed 7 years ago by acinonyx

  • Owner changed from developers to acinonyx
  • Status changed from new to accepted

comment:2 Changed 7 years ago by acinonyx

  • Resolution set to fixed
  • Status changed from accepted to closed

Fixed in r25317. Thanks!

comment:3 Changed 7 years ago by steelman <stlman@…>

  • Resolution fixed deleted
  • Status changed from closed to reopened

Just as I received the notice I realised that tests in the patch are not correct. They should work properly on a not-so-much-modified default setup but they are about checking if an ssh server is installed rather that checking if it's actually enabled (not to mention if it actually works, ok don't be so picky). It might happen that it's not enabled in /etc/rc.d/ and then we end up with a router in a locked-in state. The following patch fixes this issue.

Changed 7 years ago by steelman <stlman@…>

check if ssh server is actually enabled

comment:4 Changed 7 years ago by acinonyx

  • Status changed from reopened to accepted

comment:5 Changed 7 years ago by Mark Mentovai <mark@…>

Regarding r25417:

Instead of get_root_home, why not just use ~root? I checked Busybox ash, and there’s no way to disable tilde expansion, so this ought to be safe in any environment.

comment:6 Changed 6 years ago by nico

  • Owner changed from acinonyx to nico

Backport candidate

comment:7 Changed 4 years ago by sinyawskiy@…

Syntax: /etc/init.d/telnet [command]

Available commands:

start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart

comment:8 Changed 4 years ago by jow

  • Milestone changed from Backfire 10.03.2 to Chaos Calmer (trunk)

Milestone Backfire 10.03.2 deleted

Add Comment

Modify Ticket

Action
as accepted .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.