devel-su and SSHD (developer mode remote connection) on Sailfish
I don't like leaving SSHD running on my phone, because it leaves the phone vulnerable to brute-force password attacks against SSH when on mobile networks and public wifi. I'd never leave a server like that, so I'm definitely not going to do that on my phone.
I've been frustrated a few times to find that nemo's PW is reset when the GUI option to enable or disable remote access is toggled. Even if you don't enter anything in the new PW box or click "generate", enabling or disabling SSHD will wipe the existing PW. Grr! I did some experimenting... this is with SSHD enabled: Code:
[root@Jolla nemo]# cat /etc/passwd | egrep '\<(root|nemo)\>' Code:
[root@Jolla nemo]# cat /etc/passwd | egrep '\<(root|nemo)\>'
The whole thing is quite irritating really, because you can't easily control the two settings independently of each other in the GUI, AND the device is very insecure - it would literally take someone 30s to get root access. I've been trying to think of a decent way to separate the two, but I don't think there's an obvious perfect solution. Here's my thoughts on workarounds with the current setup: You can set a password for nemo using the utility passwd, which will enable you to use devel-su in fingerterm without SSHD, but enabling SSHD in the GUI will still clobber your PW. I guess you can also manually change SSHD to allow publickey authentication only, but I'm not sure if the GUI setting will clobber this too. This also doesn't solve the problem that someone can pick up your device and root it in 30s. If I could go back in time and whisper in the Jolla devs' ears as they were designing the system, here's how I'd suggest setting it up:
Two questions for the rest of you:
Hopefully I'm not the only one irritated by this ;) |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Quote:
Point I: Yeah, this SSHD/password GUI config is kind of surrealist. II: If I wanted to enable/disable SSHD, probably I would try systemctl start/stop sshd. III: My 3G provider, Yoigo (Telia Sonera) gives IPs behind a CGNAT. So the SSH daemon is not accesible to the whole world. Of course, there are these WhatsApp teenagers behind the same CGNAT as me, but I don't expect them to know what SSH means. IV: The same thing with public wifi's at restaurants, transport and the like. V: Get root access in 30 seconds? Could you post a link to this bug? VI: I don't know why, but I'm unable to set RSA key authentication on my Jolla. I've got three of four Debian machines, my Raspbian RPi and an OpenWRT router, all of them sharing their respective RSA keys: they work flawlessly. But when it's time to log into my Jolla this way, "Permission denied (publickey)". |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
This works all different compared to the Maemo system.
|
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Quote:
Quote:
You shouldn't be able to set the password required for root access like that, it's stupid. On a normal system, if you log in as a user in the sudo group, you need to know either that user's password or the root password to run commands as root (depending on how sudo is configured). If you want to change your own password, you need to know the current password. Quote:
Code:
sam@T440s:~$ ssh-copy-id nemo@192.168.1.227 |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
I do remember that the MeeGo/Harmattan used to have the same settings for ssh and developer mode. It's nice to see the password being reset all time while using a device lock code and one acces ip.
|
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Quote:
Why worry about the root access anyway? All the important stuff is in the user land: your files, your contacts, your login creds to various services... About the only thing that knowing the root password gives you are the access to other users' data and the possibility to install stuff, both irrelevant on Jolla. |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Quote:
Quote:
Quote:
I don't understand why people are trying to pass this off as unimportant. I'm not just hating on SFOS, what I'm saying is that Jolla seem to have hacked this part of the system together and have overlooked the fact that it leaves a hole in the system's security unnecessarily. |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Hi.
My n9 has the following firewall rule for ssh connections: Code:
-A INPUT -i gprs0 -p tcp -m tcp --dport 22 -j DROP I don't have a Jolla (yet) , but if it has a firewall this solution is fairly simple in my opinion. Regards. |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Quote:
Code:
#!/bin/sh [1] https://github.com/micheloosterhof/cowrie http://turbochaos.blogspot.nl/2013/0...ing-kippo.html |
Re: devel-su and SSHD (developer mode remote connection) on Sailfish
Quote:
|
All times are GMT. The time now is 17:56. |
vBulletin® Version 3.8.8