LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Default "secrets" on DD-WRT etc

Default "secrets" on DD-WRT etc

Posted Jan 6, 2011 16:20 UTC (Thu) by rfunk (subscriber, #4054)
Parent article: Default "secrets"

Since the DD-WRT people seem not to care, and likely other affected projects/vendors as well, I'm now wondering if there are projects/vendors that actually do care about this sort of thing. And how quickly I can migrate my routers to their firmware.

(Log in to post comments)

Default "secrets" on DD-WRT etc

Posted Jan 7, 2011 9:54 UTC (Fri) by dsommers (subscriber, #55274) [Link]

I personally removed DD-WRT a few years ago when I discovered that there were hard coded ACCEPT rules from specific IP addresses. The forum discussion with the upstream developer did not build up any confidence in my eyes.

The argumentation which was used was that "these IP addresses are not valid any more and we will remove these iptables rules in the next release". That was without an ETA of the next release and it was nobody who saw any need of informing its users about this. Despite that a couple of simple 'nvram' commands was all which would be needed as a workaround.

So that the DD-WRT community does not see littleblackbox as a problem for their firmware, that does not surprise me at all. For me this is yet another reason why to stay away from DD-WRT.

I switched to X-WRT and later on to OpenWRT, and I find these two as much more open and secure router distributions. And it is quite easy to build the OpenWRT firmware yourself.

Default "secrets" on DD-WRT etc

Posted Jan 17, 2011 11:42 UTC (Mon) by eduperez (guest, #11232) [Link]

Probably not-so-related, but OpenWrt generates a new private key for SSH connections upon every firmware installation: I have reinstalled the same OpenWrt firmware on my router several times, and after each installation the SSH client detects a new key.

Default "secrets" on DD-WRT etc

Posted Feb 3, 2011 14:45 UTC (Thu) by ddwrt (subscriber, #72712) [Link]

Hi,

the stuff here written here that "the DD-WRT people" do not care is not right.

We noticed this article (even now subscribed to lwn) and we'll take care on a solution.

Our main hassle with a solution right now is, that we on most platforms do not have enough space to put openssl for the key (and x509) stuff into the firmware.
Secondly, we don't trust in the right now random quality on embedded systems. (Ok, that is for sure better than having these "secret defaults").

Also we assume, that offering people the service somewhere "out in the web" to generate the keys will also lead into trust problems again.

The idea we right now have, is to use javascript on the browser to generate the RSA (locally) and the x509 certificate.
We found stuff to do the RSA part already, but haven't finished off with the x509 part.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds