**** BEGIN LOGGING AT Fri Sep 05 02:59:59 2014 Sep 05 03:36:00 build #582 of iop32x is complete: Failure [failed shell_10] Build details are at http://buildbot.openwrt.org:8010/builders/iop32x/builds/582 Sep 05 04:23:45 build #629 of kirkwood is complete: Failure [failed compile_5] Build details are at http://buildbot.openwrt.org:8010/builders/kirkwood/builds/629 Sep 05 04:39:30 build #77 of brcm47xx.mips74k is complete: Failure [failed compile_5] Build details are at http://buildbot.openwrt.org:8010/builders/brcm47xx.mips74k/builds/77 Sep 05 04:45:27 build #749 of at91 is complete: Failure [failed compile_5] Build details are at http://buildbot.openwrt.org:8010/builders/at91/builds/749 Sep 05 05:53:30 build #264 of mvebu is complete: Failure [failed compile_5] Build details are at http://buildbot.openwrt.org:8010/builders/mvebu/builds/264 Sep 05 09:18:19 build #530 of octeon is complete: Failure [failed compile_4] Build details are at http://buildbot.openwrt.org:8010/builders/octeon/builds/530 Sep 05 09:53:05 hi, i am experimenting with kexec loading a new kernel , after the machine rebooted with the new kernel, how can i know that it is using rootfs image from mtd or usb storage? Sep 05 10:43:26 yousong, the mount command ought to tell you Sep 05 14:44:46 Hello, I need an advice Sep 05 14:46:56 I am preparing an OpenWRT image based on AA version (whatever - this is not relevant). I need to make a "reproducable" image , with everything configured from scratch , ie. no "first boot" config. Sep 05 14:48:14 to do that, I prepared my own package "firstbootconfig" to run some stuff at boot , and establish the initial config : For exemple, no "WAN" per see (the system is inteded to be a home automation device) , Sep 05 14:48:24 enable NTP, set LAN to DHCP, ... Sep 05 14:49:17 My question is : I want to avoid the first boot requierement to set the root password , directly enabling ssh & disabling telnet Sep 05 14:49:34 Is there a "best practice" regarding that ? Sep 05 14:49:58 maybe a config item ? Sep 05 14:50:33 or I just modify stuff whithin OpenWRT, which seems a bit piggy , for me Sep 05 14:51:53 (I created my own "package" repo to be added into feeds.conf.defaults to keeps my own programs from the main OpenWRT tree , in an effort to minimize the work when porting to BB Sep 05 14:51:56 thanks Sep 05 14:53:25 what password were you thinking of then? Sep 05 14:54:06 it's either hardcoded, which is useless, or you have to make it related to your manufacturing and stickering, which can be complex, or you just leave it blank and say, "you own the device, do something sane with it" Sep 05 14:54:33 karlp: yes password will be hardcoded Sep 05 14:55:05 like ... "admin" :-) Sep 05 14:55:42 the best would me "*" , and add a ssh key Sep 05 14:55:50 s/me/be/ Sep 05 14:56:37 (on this device, console is disabled because the hardware radio system is using the serial port to communicate) Sep 05 14:57:41 you do know that "factory default" passwords end up lists, and don't get changed, so you're likely making security _worse_ not better right? Sep 05 14:59:28 right Sep 05 14:59:48 that's why I would prefer a ssh key and no password Sep 05 15:14:45 you think that's different? Sep 05 17:41:44 build #678 of ppc44x is complete: Failure [failed shell_10] Build details are at http://buildbot.openwrt.org:8010/builders/ppc44x/builds/678 Sep 05 18:32:01 build #726 of atheros is complete: Exception [exception compile_3 shell_15 compile_9] Build details are at http://buildbot.openwrt.org:8010/builders/atheros/builds/726 Sep 05 18:32:01 build #178 of x86_64 is complete: Exception [exception compile_3 shell_15 compile_9] Build details are at http://buildbot.openwrt.org:8010/builders/x86_64/builds/178 Sep 05 18:57:04 build #284 of imx6 is complete: Failure [failed compile_4] Build details are at http://buildbot.openwrt.org:8010/builders/imx6/builds/284 Sep 05 19:58:00 karlp: yes, I do think it's different. Sep 05 19:58:43 (when I said "no password", I meant that neither SSH nor serial would allow any password login) Sep 05 19:59:02 anyway, getty is suppressed on this plateform Sep 05 20:45:59 what makes you thnk a fixed sshkey is anymore secure than a fixed ssh interactive password? Sep 05 21:36:45 obinou: you can put your files in a $TOPDIR/files/ tree to overlay the default files in the baked image, or you can use a uci-defaults script to make the changes at firstboot, iirc Sep 05 21:38:13 eg $TOPDIR/files/etc/dropbear/authorized_keys Sep 05 21:40:04 likewise, either create your own $TOPDIR/files/etc/config/wireless or a script in $TOPDIR/files/etc/uci-defaults/ that does a uci set wireless.radio0.disabled=0 or whatever Sep 05 21:49:40 russell--: Thanks a lot Sep 05 21:50:11 karlp: I know the use case , which is not your typical router distributed in the wild . Sep 05 21:51:33 karlp: Other than that, unless you're taking into account various OpenSSH/OpenSSL breach, brute-forcing a key is considered infeasable Sep 05 21:52:10 karlp: So the only vulnerability is the loss of control of the secret key Sep 05 21:52:52 by a targeted attack or by lack of security measures Sep 05 21:54:15 Note that the device is _not_ locked: The bootloader is still accessible (though by the serial port) , so if I was to attack the device, I would simply take it, boot on TFTP, and then all bets are off. Sep 05 21:57:05 I willingly admit that I don't know how to secure a device of this kind more than that. FYI I worked on the gateway of a french ISP (Neuf, who become SFR), and while the firmware can be torn as we see fit, the default password set by the manufacturer (and used by customer support) is nealy 9 years old & still unknown Sep 05 21:57:49 What we do is simply adding another account (whose name is "toor" ) on id=0 with our own password Sep 05 22:02:33 nico r42421 trunk/target/linux/ (6 files in 2 dirs) * uml: bump to 3.14.16 Sep 06 00:23:47 build #647 of sibyte is complete: Failure [failed shell_10] Build details are at http://buildbot.openwrt.org:8010/builders/sibyte/builds/647 Sep 06 01:08:13 build #659 of avr32 is complete: Failure [failed compile_5] Build details are at http://buildbot.openwrt.org:8010/builders/avr32/builds/659 **** ENDING LOGGING AT Sat Sep 06 02:59:59 2014