Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: some distros for Raspberry Pi have sshd enabled and default logins.

From: rancor <therancor () gmail com>
Date: Sat, 4 Aug 2012 16:54:34 +0200
It's just proof of concepts and maybe Raspbian should secure it more as
it's the official distribution. All other is just toys.

I agree in general, but in this case I feel more relaxed about it
On Aug 4, 2012 4:20 PM, "Gary Baribault" <gary () baribault net> wrote:


 The default install shouldn't allow root access to SSHd. Should force
password changes to default logins and have a list of allowed SSH users.
Purchasers of PI computers aren't necessarily Linux gurus.

Gary Baribault

On 08/04/2012 10:12 AM, larry Cashdollar wrote:

My argument is they should prompt the user to change the password, not
provide an insecure image
With the expectations that users will secure it themselves. It maybe
obvious to us, but with a good deal
Of the audience being inexperienced users it should be part of the install.


Larry C$

On Aug 4, 2012, at 8:55 AM, rancor <therancor () gmail com> wrote:

  No shit Sherlock!
On Aug 4, 2012 3:38 AM, "larry Cashdollar" <larry0 () me com> wrote:


 Vapid Labs
Larry W. Cashdollar
8/2/2012


Since a some RaspberryPi users maybe unaware of the security implications of sshd I thought I should just make a 
note of some issues.

RaspberryPi image Occidentalis v0.1


From the site:


"Adafruit <3 Raspberry Pi - especially how easy it is to hack circuits using the electronics breakout pins! But 
sadly, the latest official
distro "July 15 Raspbian Wheezy" did not have many of the delicious hackables built in. That's why we decided to 
roll our own

distribution.

Our distro is based on "Wheezy" but comes with hardware SPI, I2C, one wire, and WiFi support for our wifi adapters. 
It also has
some things to make overall hacking easier such sshd on startup (with key generation on first boot) and  Bonjour (so 
you can simply

ssh raspberrypi.local from any computer on the local network)"

Enables ssh by default but doesn't prompt user to change root & pi account passwords.
http://learn.adafruit.com/adafruit-raspberry-pi-educational-linux-distro/occidentalis-v0-dot-1

Arch Linux ARM

"Arch Linux ARM is based on Arch Linux, which aims for simplicity and full control to the end user. Note that this 
distribution may not
be suitable for beginners."

Default login of root/root with sshd enabled, doesn't prompt to change password.
http://downloads.raspberrypi.org/images/archlinuxarm/archlinuxarm-13-06-2012/archlinuxarm-13-06-2012.zip

If your going to enabled sshd by default please prompt the user to change the default password upon first boot. If 
your going to connect
these PIs to a network be sure to use secure passwords.

http://vapid.dhs.org/advisories/raspberrypi_image_security.txt


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: