Network Security

This Forum is for discussions about site-wide development that doesn't warrant or fit into any of the other ongoing projects.
Post Reply
PatrickW
Posts: 146
Joined: 25/11/2019, 13:34

Re: Network Security

Post by PatrickW »

I am not overly concerned about the autologin as a security weakness on the river system and similar equipment, for the reasons already mentioned. It's also worth bearing in mind that, even if we ran the software as a daemon or similar, physical access would still allow someone to gain root access, because the SD cards are unencrypted and accessible and the Pis do not (AFAIK) use a verified boot process. They could even bypass WMT's Pi entirely and connect directly to the peripheral hardware.

In practice, I think if you're motivated enough to bring a keyboard and poke around in someone else's logged-in terminal, you are probably not far off being motivated enough to bring a custom SD card with a modified version of our installation, or an entire substitute Pi, or something like that. Maybe there's a small theoretical benefit to disabling the autologin, but I don't think the stakes are high enough to worry about it.
TerryJC wrote: 04/01/2022, 13:32 tand your point about passwordless sudo, but I have to say it's a pain on the VPN Server and Webserver to have to retype the password every time I want to change the network config or update the code.
I think the usual solution to that is a password manager. :)

Alternatively, it may be worth adjusting the timestamp_timeout in sudoers(5) to allow longer between re-inputting sudo passwords.
Top
TerryJC
Posts: 2616
Joined: 16/05/2017, 17:17

Re: Network Security

Post by TerryJC »

PatrickW wrote: 04/01/2022, 23:21I think the usual solution to that is a password manager. :)
Is there one for the Pi? It would need to run in a console, since the WMT Pis are all headless.
PatrickW wrote: 04/01/2022, 23:21Alternatively, it may be worth adjusting the timestamp_timeout in sudoers(5) to allow longer between re-inputting sudo passwords.
That's a thought.
Terry
Top
PatrickW
Posts: 146
Joined: 25/11/2019, 13:34

Re: Network Security

Post by PatrickW »

TerryJC wrote: 05/01/2022, 6:30
PatrickW wrote: 04/01/2022, 23:21I think the usual solution to that is a password manager. :)
Is there one for the Pi? It would need to run in a console, since the WMT Pis are all headless.
Ah, I didn't consider that you often log in directly to the Pis, rather than via SSH. I don't suppose a password manager would gain you much if it's on the Pi itself, seeing as you'd still need a (similarly strong) password for the password manager.

With that said, there is pass, which is fairly easy to get to grips with. In the absence of a clipboard, I suppose you might be able to load the password into a shell variable temporarily and then pass that to sudo each time instead of typing it in. But really I was thinking about logging in via SSH and using a password manager on the machine that's running the SSH client.

Another, admittedly slightly esoteric and far-fetched, option is available if you happen to own a USB barcode scanner: On another device, from a password manager, take the password, encode it into a QR code, and display it on screen (e.g. by pasting the password into qtqr). Then plug the barcode scanner into the Pi and scan the QR code every time you need to input the password, instead of typing it manually. (A webcam and zbarcam running on the Pi would probably not have quite the same convenience factor.)
Top
Post Reply

Return to “WMT Site-wide Projects”