Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Chemistry professors never die, they just fail to react.


computers / comp.sys.raspberry-pi / Re: It is now very nearly impossible to install a headless Pi

SubjectAuthor
* It is now very nearly impossible to install a headless PiChris Green
+* Re: It is now very nearly impossible to install a headless PiComputer Nerd Kev
|+- Re: It is now very nearly impossible to install a headless PiBryan
|+* Re: It is now very nearly impossible to install a headless PiJim Jackson
||`- Re: It is now very nearly impossible to install a headless PiChris Green
|`- Re: It is now very nearly impossible to install a headless PiChris Green
+* Re: It is now very nearly impossible to install a headless PiTheo
|+* Re: It is now very nearly impossible to install a headless PiChris Green
||+- Re: It is now very nearly impossible to install a headless PiTheo
||`- Re: It is now very nearly impossible to install a headless PiAhem A Rivet's Shot
|+* Re: It is now very nearly impossible to install a headless PiTimS
||`- Re: It is now very nearly impossible to install a headless PiLawrence D'Oliveiro
|+* Re: It is now very nearly impossible to install a headless Pi68g.1499
||+* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
|||+* Re: It is now very nearly impossible to install a headless PiChris Green
||||+* Re: It is now very nearly impossible to install a headless PiTheo
|||||+- Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
|||||`* Re: It is now very nearly impossible to install a headless PiChris Green
||||| `- Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
||||+* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
|||||`- Re: It is now very nearly impossible to install a headless PiChris Green
||||`- Re: It is now very nearly impossible to install a headless PiLawrence D'Oliveiro
|||+* Re: It is now very nearly impossible to install a headless Pi68g.1499
||||+* Re: It is now very nearly impossible to install a headless PiAhem A Rivet's Shot
|||||`* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
||||| `* Re: It is now very nearly impossible to install a headless Pidruck
|||||  `* Re: It is now very nearly impossible to install a headless Pi68g.1499
|||||   +* Re: It is now very nearly impossible to install a headless PiAhem A Rivet's Shot
|||||   |`- Re: It is now very nearly impossible to install a headless Pi68g.1499
|||||   `* Re: It is now very nearly impossible to install a headless Pidruck
|||||    `* Re: It is now very nearly impossible to install a headless Pidruck
|||||     `- Re: It is now very nearly impossible to install a headless PiTheo
||||+* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
|||||+- Re: It is now very nearly impossible to install a headless Pi68g.1499
|||||`* Re: It is now very nearly impossible to install a headless PiAdam Funk
||||| +* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
||||| |`- Re: It is now very nearly impossible to install a headless PiAdam Funk
||||| `* Re: It is now very nearly impossible to install a headless PiCharlie Gibbs
|||||  `- Re: It is now very nearly impossible to install a headless PiAdam Funk
||||`- Re: It is now very nearly impossible to install a headless PiRichard Kettlewell
|||`* Re: It is now very nearly impossible to install a headless Pidruck
||| `- Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
||`* Re: It is now very nearly impossible to install a headless PiScott Alfter
|| +* Re: It is now very nearly impossible to install a headless PiPancho
|| |+* Re: It is now very nearly impossible to install a headless PiScott Alfter
|| ||+* Re: It is now very nearly impossible to install a headless PiChris Green
|| |||`- Re: It is now very nearly impossible to install a headless PiChris Green
|| ||`* Re: It is now very nearly impossible to install a headless PiPancho
|| || `* Re: It is now very nearly impossible to install a headless Pidruck
|| ||  `* Re: It is now very nearly impossible to install a headless PiPancho
|| ||   +* Re: It is now very nearly impossible to install a headless PiRichard Kettlewell
|| ||   |`- Re: It is now very nearly impossible to install a headless PiPancho
|| ||   `* Re: It is now very nearly impossible to install a headless Pidruck
|| ||    `- Re: It is now very nearly impossible to install a headless PiPancho
|| |`* Re: It is now very nearly impossible to install a headless Pidruck
|| | `- Re: It is now very nearly impossible to install a headless PiPancho
|| `* Re: It is now very nearly impossible to install a headless PiChris Green
||  +* Re: It is now very nearly impossible to install a headless PiAhem A Rivet's Shot
||  |`* Re: It is now very nearly impossible to install a headless PiChris Green
||  | `- Re: It is now very nearly impossible to install a headless PiCharlie Gibbs
||  +* Re: It is now very nearly impossible to install a headless PiTheo
||  |+* Re: It is now very nearly impossible to install a headless PiTheo
||  ||`* Re: It is now very nearly impossible to install a headless PiAhem A Rivet's Shot
||  || `- Re: It is now very nearly impossible to install a headless PiTheo
||  |`* Re: It is now very nearly impossible to install a headless PiChris Green
||  | `* Re: It is now very nearly impossible to install a headless PiTheo
||  |  `* Re: It is now very nearly impossible to install a headless PiChris Green
||  |   `* Re: It is now very nearly impossible to install a headless PiTheo
||  |    +- Re: It is now very nearly impossible to install a headless PiChris Green
||  |    `- Re: It is now very nearly impossible to install a headless PiAdam Funk
||  `* Re: It is now very nearly impossible to install a headless PiRichard Kettlewell
||   +- Re: It is now very nearly impossible to install a headless PiAhem A Rivet's Shot
||   `* Re: It is now very nearly impossible to install a headless PiChris Green
||    `- Re: It is now very nearly impossible to install a headless PiRichard Kettlewell
|`* Re: It is now very nearly impossible to install a headless PiAdam Funk
| `* Re: It is now very nearly impossible to install a headless PiTheo
|  `* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
|   +- Re: It is now very nearly impossible to install a headless PiTheo
|   `- Re: It is now very nearly impossible to install a headless Pi68g.1499
+- Re: It is now very nearly impossible to install a headless PiLawrence D'Oliveiro
+- It is now very nearly impossible to install a headless PiRichard Falken
`* Re: It is now very nearly impossible to install a headless PiScott Alfter
 +* Re: It is now very nearly impossible to install a headless Pi68g.1499
 |+* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
 ||`* Re: It is now very nearly impossible to install a headless Pi68g.1499
 || +* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
 || |`- Re: It is now very nearly impossible to install a headless Pi68g.1499
 || +* Re: It is now very nearly impossible to install a headless PiChris Elvidge
 || |`- Re: It is now very nearly impossible to install a headless Pi68g.1499
 || `* Re: It is now very nearly impossible to install a headless PiScott Alfter
 ||  `- Re: It is now very nearly impossible to install a headless Pi68g.1499
 |`* Re: It is now very nearly impossible to install a headless PiScott Alfter
 | +* Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher
 | |`* Re: It is now very nearly impossible to install a headless Pi68g.1499
 | | `* Re: It is now very nearly impossible to install a headless PiScott Alfter
 | |  `- Re: It is now very nearly impossible to install a headless Pi68g.1499
 | `- Re: It is now very nearly impossible to install a headless Pi68g.1499
 `* Re: It is now very nearly impossible to install a headless PiAnssi Saari
  `* Re: It is now very nearly impossible to install a headless PiScott Alfter
   `- Re: It is now very nearly impossible to install a headless PiThe Natural Philosopher

Pages:1234
Re: It is now very nearly impossible to install a headless Pi

<20240130100834.a68d36871ff7fa2416840f62@eircom.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9066&group=comp.sys.raspberry-pi#9066

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!paganini.bofh.team!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ste...@eircom.net (Ahem A Rivet's Shot)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 10:08:34 +0000
Organization: A noiseless patient Spider
Lines: 20
Message-ID: <20240130100834.a68d36871ff7fa2416840f62@eircom.net>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me>
<kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: dont-email.me; posting-host="9b09222b2b761c3f371156c676302ca0";
logging-data="1010869"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+RH1l5vv+gdliprOR67k5E5ymaLPEusyM="
Cancel-Lock: sha1:7dFUsQFm0BzLLw2MNXn/qI9CXHk=
X-Clacks-Overhead: "GNU Terry Pratchett"
X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.1)
 by: Ahem A Rivet's - Tue, 30 Jan 2024 10:08 UTC

On Tue, 30 Jan 2024 01:03:40 -0500
"68g.1499" <68g.1499@etr6.net> wrote:

> no pro/State-level stuff. Sorry to burst many egos, but really
> is YOUR server WORTH five CPU-seconds by N.Korea ???

How much is a botnet node worth ? In CPU-seconds ? Or to invert it
how cheaply can they be obtained in CPU-seconds. I prefer that my systems
aren't at the low end of the list but rather far enough up it that the bulk
harvesters won't bother me.

It's like bicycle locks, nothing will stop a determined thief but
any thief will go for the easy ones first so fit something half decent but
don't go over the top.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
For forms of government let fools contest
Whate're is best administered is best - Alexander Pope

Re: It is now very nearly impossible to install a headless Pi

<upan20$vden$4@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9068&group=comp.sys.raspberry-pi#9068

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 11:37:36 +0000
Organization: A little, after lunch
Lines: 26
Message-ID: <upan20$vden$4@dont-email.me>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me>
<kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 30 Jan 2024 11:37:36 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="3f96364e998fbdf1f33e322ef1eddbab";
logging-data="1029591"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19Bup6JirTr0/RjwuZifV3ZfCn0bTkFCUU="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:9nMKMKsSplUkAa8IumMQSnTueN4=
In-Reply-To: <kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
Content-Language: en-GB
 by: The Natural Philosop - Tue, 30 Jan 2024 11:37 UTC

On 30/01/2024 06:03, 68g.1499 wrote:
> The continuing most-dangerous thing out there is not "hacking" but
> "human factors" -

My chief engineer went to do a security audit and install a corporate
firewall, and then test it.

His security report included:

- "The widespread use of dial in modems connecting to users DDI ports to
enable them to operate their windows desktop computers from home
represents a far greater security risk than that offered by the internet
connection....

- "The list of root passwords pinned up behind the receptionist desk as
well as the directory of usernames and DDI extensions is also sub
optimal...

I rest your case....

--
In todays liberal progressive conflict-free education system, everyone
gets full Marx.

Re: It is now very nearly impossible to install a headless Pi

<upan3j$vden$5@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9069&group=comp.sys.raspberry-pi#9069

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 11:38:27 +0000
Organization: A little, after lunch
Lines: 39
Message-ID: <upan3j$vden$5@dont-email.me>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me> <9nhk8k-333l1.ln1@esprimo.zbmc.eu>
<M3A*mPEBz@news.chiark.greenend.org.uk> <lnal8k-49jm1.ln1@esprimo.zbmc.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 30 Jan 2024 11:38:27 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="3f96364e998fbdf1f33e322ef1eddbab";
logging-data="1029591"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Bwv7461E6bQnoT7FtNG5ZC+iuckPcbU0="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:Q8SaUP/0zFRHCtx//6nFvRTtI/g=
In-Reply-To: <lnal8k-49jm1.ln1@esprimo.zbmc.eu>
Content-Language: en-GB
 by: The Natural Philosop - Tue, 30 Jan 2024 11:38 UTC

On 29/01/2024 19:26, Chris Green wrote:
> Theo <theom+news@chiark.greenend.org.uk> wrote:
>> Chris Green <cl@isbd.net> wrote:
>>> I've never understood how this can work. If you type a wrong password
>>> to ssh it will wait several seconds before allowing you to try again.
>>> In addition it will throw you off completely after three failures and
>>> you'd have to start all over. This is default ssh, no fail2ban or
>>> anything like that.
>>
>> Bombard the machine with SSH connections. There's no delay (aside from the
>> CPU overhead) for starting a new connection, so don't bother with the
>> timeout, just throw as many parallel connections at the machine as you can.
>> If you get rejected, just terminate the TCP connection and open a new one.
>> Or just wait out the timeout, with X thousand parallel connections it
>> doesn't waste any resources doing that.
>>
>> Next, run it via a botnet so each connection comes from a different IP, so
>> avoiding fail2ban and similar firewall techniques.
>>
>> Finally, parallelise over a lot of different victims. Maybe you'll get
>> lucky at one victim, it's just a matter of probabilities.
>>
>>> So how can a dictionary attack possibly work? It would take years!
>>
>> These are often not dictionary attacks in the sense of trying all the
>> dictionary words (including the d1ct10n4ry w0rds etc), but using lists of
>> known usernames/passwords. Which you can be sure pi:raspberry is on.
>>
> OK, so it may be slightly more possible than I was surmising. However
> a Raspberry Pi isn't that fast, it'll run out of puff quite rapidly!
> My B+ takes quite a while just to log me in with password
> authentication! :-)
>
Indeed. My B is fast because it has SSD, but the Zero takes an age.
--
"I am inclined to tell the truth and dislike people who lie consistently.
This makes me unfit for the company of people of a Left persuasion, and
all women"

Re: It is now very nearly impossible to install a headless Pi

<upangq$vden$6@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9070&group=comp.sys.raspberry-pi#9070

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!rocksolid2!news.neodome.net!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 11:45:30 +0000
Organization: A little, after lunch
Lines: 40
Message-ID: <upangq$vden$6@dont-email.me>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me>
<kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
<20240130100834.a68d36871ff7fa2416840f62@eircom.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 30 Jan 2024 11:45:30 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="3f96364e998fbdf1f33e322ef1eddbab";
logging-data="1029591"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+vi8Jgv/JwR2zmBO8shQ41gPa0MOgvVRs="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:+zuWunCneQQxw2slB4VW2Lb19UE=
In-Reply-To: <20240130100834.a68d36871ff7fa2416840f62@eircom.net>
Content-Language: en-GB
 by: The Natural Philosop - Tue, 30 Jan 2024 11:45 UTC

On 30/01/2024 10:08, Ahem A Rivet's Shot wrote:
> On Tue, 30 Jan 2024 01:03:40 -0500
> "68g.1499" <68g.1499@etr6.net> wrote:
>
>> no pro/State-level stuff. Sorry to burst many egos, but really
>> is YOUR server WORTH five CPU-seconds by N.Korea ???
>
> How much is a botnet node worth ? In CPU-seconds ? Or to invert it
> how cheaply can they be obtained in CPU-seconds. I prefer that my systems
> aren't at the low end of the list but rather far enough up it that the bulk
> harvesters won't bother me.
>
> It's like bicycle locks, nothing will stop a determined thief but
> any thief will go for the easy ones first so fit something half decent but
> don't go over the top.
>
Its also like bicycles in that a thief wont spend time on a worthless
kids tricycle. When there is a carbon fibre mountain bike parked next to it.

I literally have nothing of value to a thief anywhere on any system. At
worst, I might lose a small amount of money in a bank account, before
the bank cried 'foul'. Every single financial transaction these days
uses 2FA and and SMS to my smartphone.

They would need both.

And if I lose the smartphone, there are no banking details on it whatsoever.

That's all done from a desktop.

As I said, I personally am simply not worth hacking except as a botnet
member.

I am thank Clapton, supremely unimportant in the grand scheme of things.

--
"I am inclined to tell the truth and dislike people who lie consistently.
This makes me unfit for the company of people of a Left persuasion, and
all women"

Re: It is now very nearly impossible to install a headless Pi

<upano2$vden$7@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9071&group=comp.sys.raspberry-pi#9071

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!news.nntp4.net!news.gegeweb.eu!gegeweb.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 11:49:22 +0000
Organization: A little, after lunch
Lines: 54
Message-ID: <upano2$vden$7@dont-email.me>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me> <upainr$umbf$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 30 Jan 2024 11:49:22 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="3f96364e998fbdf1f33e322ef1eddbab";
logging-data="1029591"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19mhdfw0jhchltok8zxKT0MFrnNXEGDXRM="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:KLxUcNxsLHYUe+WVPXlm3UZ7Dnk=
Content-Language: en-GB
In-Reply-To: <upainr$umbf$1@dont-email.me>
 by: The Natural Philosop - Tue, 30 Jan 2024 11:49 UTC

On 30/01/2024 10:23, druck wrote:
> On 29/01/2024 10:00, The Natural Philosopher wrote:
>> On 29/01/2024 04:54, 68g.1499 wrote:
>>> North Korea is not
>>>    going to spend five days worth of CPU time to crack your
>>>    little home Pi and its valuable horde of "Rick and Morty"
>>>    vids. Your home connection is likely too slow to be very
>>>    useful for launching broadscale attacks on other systems
>>>    as well.
>
> Your broadband is plenty fast enough to launch DDNS attacks along with
> thousands of other compromised systems. It's the sheer number of
> compromised machines on a botnet rather than their connection speeds
> which makes it a problem.
>
>> Indeed. I've two servers on the open internet with open ssh ports . In
>> 8 years although there is a constant stream of login attempts no one
>> has guessed the correct user name  - let alone the password.
>
> Most of the attempts are against root or known service names, but there
> are lots of username/password attempts which have probably come from
> other successfully compromised systems, reminding you to never reuse
> credentials.
>
>> People get paranoid about stuff they think they know about and forget
>> the simple things.
>> A  long but easily memorable string like  my.cat.hates.PIZZA! will
>> probably fall to a dictionary attack in a few thousand hours, but
>> really, who cares?
>>
>> Sorry, you are not that important, and neither am I.
>
> Your Pi may not be very important, but else can they get to once inside
> your network? And do you really want it to be used to attack others?
>
Not a lot really.

And I would notice a botnet DDOS attack within seconds. I have a
permanent traffic sensor on every desktop and a web page monitoring
router traffic.
the moment those show anything the browser gets switched off. There are
some sites that will enrol up in peer to peer shit.

I have found two. I assume some javascript action of some sort.

I dont use them any more.

--
There is something fascinating about science. One gets such wholesale
returns of conjecture out of such a trifling investment of fact.

Mark Twain

Re: It is now very nearly impossible to install a headless Pi

<upbomt$154fo$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9077&group=comp.sys.raspberry-pi#9077

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: new...@druck.org.uk (druck)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 21:11:51 +0000
Organization: A noiseless patient Spider
Lines: 21
Message-ID: <upbomt$154fo$1@dont-email.me>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me>
<kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
<20240130100834.a68d36871ff7fa2416840f62@eircom.net>
<upangq$vden$6@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
Injection-Date: Tue, 30 Jan 2024 21:11:57 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="b7151037179080baae728282b6ebc794";
logging-data="1217016"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/lLH6mBO1vIzRcjkw3fHVy"
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:GD9y7/79jgSuhtEMnNuo8yyoXCM=
In-Reply-To: <upangq$vden$6@dont-email.me>
Content-Language: en-GB
 by: druck - Tue, 30 Jan 2024 21:11 UTC

On 30/01/2024 11:45, The Natural Philosopher wrote:
> On 30/01/2024 10:08, Ahem A Rivet's Shot wrote:
>>     How much is a botnet node worth ? In CPU-seconds ? Or to invert it
>> how cheaply can they be obtained in CPU-seconds. I prefer that my systems
>> aren't at the low end of the list but rather far enough up it that the
>> bulk harvesters won't bother me.
>>
>>     It's like bicycle locks, nothing will stop a determined thief but
>> any thief will go for the easy ones first so fit something half decent
>> but don't go over the top.
>>
> Its also like bicycles in that a thief wont spend time on a worthless
> kids tricycle. When there is a carbon fibre mountain bike parked next to
> it.
It's nothing like bicycles, botnet hurders don't care what they are
cracking, adding another node to a botnet is the goal and one is pretty
much as good as another. Also they aren't putting their own effort or
their own CPU cycles into cracking new machines, it's being done by a
script running on other peoples machines already in the botnet.
---druck

Re: It is now very nearly impossible to install a headless Pi

<AgfuN.186088$yEgf.71779@fx09.iad>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9079&group=comp.sys.raspberry-pi#9079

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx09.iad.POSTED!not-for-mail
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
Organization: USS Voyager NCC-74656, Delta Quadrant
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
From: sco...@alfter.diespammersdie.us (Scott Alfter)
Originator: scott@alfter.diespammersdie.us (Scott Alfter)
Lines: 24
Message-ID: <AgfuN.186088$yEgf.71779@fx09.iad>
X-Complaints-To: https://www.astraweb.com/aup
NNTP-Posting-Date: Tue, 30 Jan 2024 23:05:04 UTC
Date: Tue, 30 Jan 2024 23:05:04 GMT
X-Received-Bytes: 1877
 by: Scott Alfter - Tue, 30 Jan 2024 23:05 UTC

In article <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>,
Chris Green <cl@isbd.net> wrote:
>I can't us Pi Imager because it's very broken on Ubuntu:-

Sounds like something you should take up with the Ubuntu packagers. I
maintain a Gentoo ebuild for rpi-imager (it's in my overlay...sudo eselect
repository enable salfter && sudo emaint sync -r salfter), and it works like
a champ.

More recently, I've migrated my print server (an ancient RPi Model B) from
Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless. The
Alpine install needed to be done on a spare Raspberry Pi, but once it was up
and running with ssh access, I was able to do the rest of the setup over the
network. Once I had it configured as I wanted it, I brought the MicroSD card
over to another computer to image it and shipped the image home so I could
blast it onto an SD card. It's a much lighter-weight system now...could put
it on a 128MB SD card, if I had one that small. :) The server runs headless,
with just two printers, a network cable, and a power supply plugged in.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

Re: It is now very nearly impossible to install a headless Pi

<erfuN.258118$7sbb.232154@fx16.iad>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9080&group=comp.sys.raspberry-pi#9080

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx16.iad.POSTED!not-for-mail
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
Organization: USS Voyager NCC-74656, Delta Quadrant
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
From: sco...@alfter.diespammersdie.us (Scott Alfter)
Originator: scott@alfter.diespammersdie.us (Scott Alfter)
Lines: 17
Message-ID: <erfuN.258118$7sbb.232154@fx16.iad>
X-Complaints-To: https://www.astraweb.com/aup
NNTP-Posting-Date: Tue, 30 Jan 2024 23:16:26 UTC
Date: Tue, 30 Jan 2024 23:16:26 GMT
X-Received-Bytes: 1440
 by: Scott Alfter - Tue, 30 Jan 2024 23:16 UTC

In article <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>,
68g.1499 <68g.1499@etr6.net> wrote:
> On install, you CAN select 'pi' as the username and anything
> you want as the password. It WILL complain - but will do it
> if you demand. If you change passwords later there's more of
> a chance it will demand "minimum complexity" (that's deep in
> the PAM stuff).

For remote access (to a headless box or otherwise), you should be using
key-based authentication anyway and should disable password authentication
in sshd.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

Re: It is now very nearly impossible to install a headless Pi

<upc13i$16fsg$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9082&group=comp.sys.raspberry-pi#9082

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Pancho.J...@proton.me (Pancho)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Tue, 30 Jan 2024 23:35:15 +0000
Organization: A noiseless patient Spider
Lines: 20
Message-ID: <upc13i$16fsg$1@dont-email.me>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<erfuN.258118$7sbb.232154@fx16.iad>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 30 Jan 2024 23:35:14 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="e06cc3561f2ced5894e055135ac18f98";
logging-data="1261456"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+jYq6VSZVXJISaQvUy+p1LHuQ09b3UFaE="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:0olBNqnodLGcTchnzdAtinbu76g=
Content-Language: en-GB
In-Reply-To: <erfuN.258118$7sbb.232154@fx16.iad>
 by: Pancho - Tue, 30 Jan 2024 23:35 UTC

On 30/01/2024 23:16, Scott Alfter wrote:
> In article <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>,
> 68g.1499 <68g.1499@etr6.net> wrote:
>> On install, you CAN select 'pi' as the username and anything
>> you want as the password. It WILL complain - but will do it
>> if you demand. If you change passwords later there's more of
>> a chance it will demand "minimum complexity" (that's deep in
>> the PAM stuff).
>
> For remote access (to a headless box or otherwise), you should be using
> key-based authentication anyway and should disable password authentication
> in sshd.
>

I find it useful to have a weak point, one machine with password
authentication, for that time I find myself on a machine without an
appropriate key.

What is the usuaL set up for a home LAN, one key to rule them all, or a
key for each machine?

Re: It is now very nearly impossible to install a headless Pi

<tMfuN.186089$yEgf.110003@fx09.iad>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9083&group=comp.sys.raspberry-pi#9083

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx09.iad.POSTED!not-for-mail
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <upc13i$16fsg$1@dont-email.me>
Organization: USS Voyager NCC-74656, Delta Quadrant
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
From: sco...@alfter.diespammersdie.us (Scott Alfter)
Originator: scott@alfter.diespammersdie.us (Scott Alfter)
Lines: 19
Message-ID: <tMfuN.186089$yEgf.110003@fx09.iad>
X-Complaints-To: https://www.astraweb.com/aup
NNTP-Posting-Date: Tue, 30 Jan 2024 23:39:05 UTC
Date: Tue, 30 Jan 2024 23:39:05 GMT
X-Received-Bytes: 1459
 by: Scott Alfter - Tue, 30 Jan 2024 23:39 UTC

In article <upc13i$16fsg$1@dont-email.me>,
Pancho <Pancho.Jones@proton.me> wrote:
>On 30/01/2024 23:16, Scott Alfter wrote:
>> For remote access (to a headless box or otherwise), you should be using
>> key-based authentication anyway and should disable password authentication
>> in sshd.
>
>What is the usuaL set up for a home LAN, one key to rule them all, or a
>key for each machine?

One key for each host that needs to connect. That way, if one of your
computers gets stolen or is lost, you can revoke its access.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

Re: It is now very nearly impossible to install a headless Pi

<WMecnVDpC8pIXCT4nZ2dnZfqn_ednZ2d@earthlink.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9084&group=comp.sys.raspberry-pi#9084

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!feeder.usenetexpress.com!tr2.iad1.usenetexpress.com!69.80.99.23.MISMATCH!Xl.tags.giganews.com!local-2.nntp.ord.giganews.com!nntp.earthlink.com!news.earthlink.com.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 31 Jan 2024 03:43:17 +0000
Subject: Re: It is now very nearly impossible to install a headless Pi
Newsgroups: comp.sys.raspberry-pi
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <up7svl$dhid$1@dont-email.me> <kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com> <20240130100834.a68d36871ff7fa2416840f62@eircom.net> <upangq$vden$6@dont-email.me> <upbomt$154fo$1@dont-email.me>
From: 68g.1...@etr6.net (68g.1499)
Organization: hexfet fermion
Date: Tue, 30 Jan 2024 22:43:16 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <upbomt$154fo$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Message-ID: <WMecnVDpC8pIXCT4nZ2dnZfqn_ednZ2d@earthlink.com>
Lines: 54
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 99.101.150.97
X-Trace: sv3-hJQTeW9c7f8NSVZV3nbte8e8vTYtZSDBCpXw8PCg9WHefmPcEcuaCsZaxCMmaaIl4ttbr/7hsbs0mD4!18S5G0q6uUztauQPQanqWd8J3tDhtJLwNZGDqspFwuyvEw/qqPYoP7RVE8aXag9bMOtOzg3qfmVb!MWMdf+X2ejUSFkF6eSgG
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
 by: 68g.1499 - Wed, 31 Jan 2024 03:43 UTC

On 1/30/24 4:11 PM, druck wrote:
> On 30/01/2024 11:45, The Natural Philosopher wrote:
>> On 30/01/2024 10:08, Ahem A Rivet's Shot wrote:
>>>     How much is a botnet node worth ? In CPU-seconds ? Or to invert it
>>> how cheaply can they be obtained in CPU-seconds. I prefer that my
>>> systems
>>> aren't at the low end of the list but rather far enough up it that
>>> the bulk harvesters won't bother me.
>>>
>>>     It's like bicycle locks, nothing will stop a determined thief but
>>> any thief will go for the easy ones first so fit something half
>>> decent but don't go over the top.
>>>
>> Its also like bicycles in that a thief wont spend time on a worthless
>> kids tricycle. When there is a carbon fibre mountain bike parked next
>> to it.
>
> It's nothing like bicycles, botnet hurders don't care what they are
> cracking, adding another node to a botnet is the goal and one is pretty
> much as good as another. Also they aren't putting their own effort or
> their own CPU cycles into cracking new machines, it's being done by a
> script running on other peoples machines already in the botnet.

Doesn't hurt to run a few utils like top and htop and ps
every so often. Bots use cpu, memory and bandwidth. Some
might do a fair job at disguise, others won't do so well.
Simply re-booting, like a cron job at midnight, may be
enough to mess up their function.

"Popular" systems - Win/Android/Mac - are going to be the
primary targets, bots and such optimized for them. Linux
proper is there, but not super-popular by the percentages.
Win in particular is a security disaster and most users
are know-nothings, best to put efforts there.

"Perfect" security does not exist, not even for mega-corps
or federal/defense systems. Automated defenses are always
behind the curve - the attackers always have the advantage.
BUT - attackers DO want a decent investment/return picture
and infesting my old C-64 or even my Pi-2 is not a good
investment. Low exposure is also a priority for bots, if
they show up everywhere then there will be detections and
automatic responses made and the useful life of the bot will
be short. In short, there's an economy to it to achieve
maximum bang/buck.

Philosopher is almost TOO extreme, loses a lot of utility
in order to be safe. That's his call. I'd like to be THAT
stealthy, THAT much of a cyberverse ghost, but can't quite
go that far (yet).

I'll still say the greatest risk is not hackers, but
USERS. They fall for all the tricks and install evilware
themselves.

Re: It is now very nearly impossible to install a headless Pi

<INOcnVAPieFWTST4nZ2dnZfqnPadnZ2d@earthlink.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9085&group=comp.sys.raspberry-pi#9085

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!border-2.nntp.ord.giganews.com!nntp.giganews.com!Xl.tags.giganews.com!local-1.nntp.ord.giganews.com!nntp.earthlink.com!news.earthlink.com.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 31 Jan 2024 04:47:07 +0000
Subject: Re: It is now very nearly impossible to install a headless Pi
Newsgroups: comp.sys.raspberry-pi
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me>
<kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
<upan20$vden$4@dont-email.me>
From: 68g.1...@etr6.net (68g.1499)
Organization: hexfet fermion
Date: Tue, 30 Jan 2024 23:47:06 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <upan20$vden$4@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Message-ID: <INOcnVAPieFWTST4nZ2dnZfqnPadnZ2d@earthlink.com>
Lines: 71
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 99.101.150.97
X-Trace: sv3-S24zzqgaxsANqLQzMRVcREi4TFYIjtyN9PP5/PQ8V/T6IfsqRkiN/J3Ctd+UNH/zWr0KtgPlFgA7sSa!+hcMpew2bmTESejgfCEh8sGuaJvsetx6t4fc21uoxuETWk0ct3v0QIV3riyi9dFaKIuqS7PUOz5v!INYaSpxSE9+o9fzHjADW
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
 by: 68g.1499 - Wed, 31 Jan 2024 04:47 UTC

On 1/30/24 6:37 AM, The Natural Philosopher wrote:
> On 30/01/2024 06:03, 68g.1499 wrote:
>> The continuing most-dangerous thing out there is not "hacking" but
>> "human factors" -
>
> My chief engineer went to do a security audit and install a corporate
> firewall, and then test it.
>
> His security report included:
>
> - "The widespread use of dial in modems connecting to users DDI ports to
> enable them to operate their windows desktop computers from home
> represents a far greater security risk than that offered by the internet
> connection....
>
> -  "The list of root passwords pinned up behind the receptionist desk as
> well as the directory of usernames  and DDI extensions is also sub
> optimal...
>
>
> I rest your case....

Heh, heh ... :-)

Though dial-up modems are kinda yesterdecade (did find a new
one still it its wrapped box under a desk when I cleaned out
my office recently though)

A very REAL prob, which persists, is that more than one
person often has to know connection usernames/passwords/
ports/etc no matter the methods. Multiple users may need
to access each others data when "Mr. X" goes on vacation.
You also cannot have just ONE super-duper 'vault' for said
docs because redundancy is safety.

Redundancy is also vulnerability - it's a
trade-off. You have to keep that "list on the wall" in
more than one location - and you'll NEVER be sure some
functionary didn't copy it into a Word doc in their
Documents folder (the first thing intruders go at) for
convenience.

No malice is required, simply normal human,
inevitable, laziness. Could NOT do manual log-in to use
network shares or 2FA or anything else nastily inconvenient
at my old job - the staff wouldn't put up with it. Had
to be fairly easy, automatic. Human nature and the truth of
the cyberverse are often at odds - and the whiners win.

Best I could do was to allow no "home-worker" RDT type
connections. Be there or be square. No 'active directory'
or any other Win single-point auto-"update"-ware either.
Many who did that stuff suffered horribly ; my "primitive"
approach was closer to indestructible - evilware had
few paths.

The new IT people, they really go for all that M$
convenience stuff - cloud networking, systemwide
updates, remote-workers, no linux/unix master
boxes, 3rd-party 'security monitoring', Online 365,
PROMISED secure cloud storage/backups, all that
"great" stuff. Probably not a single on-site backup.
I used to pre-encrypt anything sent to cloud backup.
They won't - they'll trust M$ or whomever.

Given the increasingly nasty world situation, I figure
six months before NK or some Romanian ransomware kiddies
blast it all to oblivion. Oh well, I'm out, getting my
pension ... whatever will be will be. Nobody seems to
learn anything ..........

Re: It is now very nearly impossible to install a headless Pi

<eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9087&group=comp.sys.raspberry-pi#9087

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!news.chmurka.net!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 07:03:10 +0000
Lines: 38
Message-ID: <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net QLDgEf9JY5PxcLIjqD7SbAT7YJWSfWX7v8X/Zk2/haZW4ggKc=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:ZGvqT/1fIl6D3vbHBpFHMmxH1Zk= sha256:yzASPThT8JBv21toVdSBAJEC9XS+rug2khAEEe92EIw=
User-Agent: tin/2.6.2-20220130 ("Convalmore") (Linux/5.15.0-91-generic (x86_64))
 by: Chris Green - Wed, 31 Jan 2024 07:03 UTC

Scott Alfter <scott@alfter.diespammersdie.us> wrote:
> In article <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>,
> 68g.1499 <68g.1499@etr6.net> wrote:
> > On install, you CAN select 'pi' as the username and anything
> > you want as the password. It WILL complain - but will do it
> > if you demand. If you change passwords later there's more of
> > a chance it will demand "minimum complexity" (that's deep in
> > the PAM stuff).
>
> For remote access (to a headless box or otherwise), you should be using
> key-based authentication anyway and should disable password authentication
> in sshd.
>
Why specifically?

One argument against using key based authentication (in my case
anyway) is that my home desktop and my laptop (which are the ssh
clients) are turned on and logged-into just about all the time. Thus,
with the default log-in key used for authentication, all my remote
systems would be accessible to someone just walking up to desktop or
laptop.

I *could* generate a separate key for every remote and force it to ask
for the key every time I log in but that adds extra hassle every time
I add or change a remote system.

Using the default (ssh password authentication) means that I have no
extra configuration required to either default or local system **and**
no on can casually walk up to desktop or laptop and get a login to a
remote.

Yes, a key is harder to crack than a password, but a reasonably
difficult to guess password is going to take far too long (in the real
world) to break.

--
Chris Green
·

Re: It is now very nearly impossible to install a headless Pi

<9f8p8k-cm4u1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9088&group=comp.sys.raspberry-pi#9088

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!news.chmurka.net!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 07:12:09 +0000
Lines: 26
Message-ID: <9f8p8k-cm4u1.ln1@esprimo.zbmc.eu>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <upc13i$16fsg$1@dont-email.me> <tMfuN.186089$yEgf.110003@fx09.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net Hpv1wvg35O6Oq3s2nb1ryQL84QUW5AiqVr7C7O6DFi2GzvpDk=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:3e+omsPfuW6nv+BzcErKOeclFRE= sha256:IdQErXmuVUFtY1hwU5vriL5AXIlyv2BaiDyU0OiLkWs=
User-Agent: tin/2.6.2-20220130 ("Convalmore") (Linux/5.15.0-91-generic (x86_64))
 by: Chris Green - Wed, 31 Jan 2024 07:12 UTC

Scott Alfter <scott@alfter.diespammersdie.us> wrote:
> In article <upc13i$16fsg$1@dont-email.me>,
> Pancho <Pancho.Jones@proton.me> wrote:
> >On 30/01/2024 23:16, Scott Alfter wrote:
> >> For remote access (to a headless box or otherwise), you should be using
> >> key-based authentication anyway and should disable password authentication
> >> in sshd.
> >
> >What is the usuaL set up for a home LAN, one key to rule them all, or a
> >key for each machine?
>
> One key for each host that needs to connect. That way, if one of your
> computers gets stolen or is lost, you can revoke its access.
>
Which is of course the default setup with ssh. You generate a key on
the client and that client key will get copied to all the systems to
which that client wants to connect.

I (like most ssh users I suspect) only have two ssh client machines,
my desktop and my laptop. They each have thirty or forty remote
systems they connect to. If either got stolen it would be quite a job
to remove all the remote keys!

--
Chris Green
·

Re: It is now very nearly impossible to install a headless Pi

<109p8k-cm4u1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9089&group=comp.sys.raspberry-pi#9089

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 07:21:05 +0000
Lines: 33
Message-ID: <109p8k-cm4u1.ln1@esprimo.zbmc.eu>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <upc13i$16fsg$1@dont-email.me> <tMfuN.186089$yEgf.110003@fx09.iad> <9f8p8k-cm4u1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net aoGbDUH9lQf2QyznGE+OaAMgRR2usxE1Ait7bU8xsQ83ypKw8=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:os9a1WxG7nU/00Zc14x08ponWrQ= sha256:e6O0nm6/6ufoCa21kVNSj2KTp0sENi13K4HlTFoaQrw=
User-Agent: tin/2.6.2-20220130 ("Convalmore") (Linux/5.15.0-91-generic (x86_64))
 by: Chris Green - Wed, 31 Jan 2024 07:21 UTC

Chris Green <cl@isbd.net> wrote:
> Scott Alfter <scott@alfter.diespammersdie.us> wrote:
> > In article <upc13i$16fsg$1@dont-email.me>,
> > Pancho <Pancho.Jones@proton.me> wrote:
> > >On 30/01/2024 23:16, Scott Alfter wrote:
> > >> For remote access (to a headless box or otherwise), you should be using
> > >> key-based authentication anyway and should disable password authentication
> > >> in sshd.
> > >
> > >What is the usuaL set up for a home LAN, one key to rule them all, or a
> > >key for each machine?
> >
> > One key for each host that needs to connect. That way, if one of your
> > computers gets stolen or is lost, you can revoke its access.
> >
> Which is of course the default setup with ssh. You generate a key on
> the client and that client key will get copied to all the systems to
> which that client wants to connect.
>
The public key that is, of course.

> I (like most ssh users I suspect) only have two ssh client machines,
> my desktop and my laptop. They each have thirty or forty remote
> systems they connect to. If either got stolen it would be quite a job
> to remove all the remote keys!
>
> --
> Chris Green
> ·

--
Chris Green
·

Re: It is now very nearly impossible to install a headless Pi

<20240131074723.55a545dc153b6fec036ecc03@eircom.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9090&group=comp.sys.raspberry-pi#9090

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ste...@eircom.net (Ahem A Rivet's Shot)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 07:47:23 +0000
Organization: A noiseless patient Spider
Lines: 17
Message-ID: <20240131074723.55a545dc153b6fec036ecc03@eircom.net>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<up7svl$dhid$1@dont-email.me>
<kqacnZzQ4IKgDCX4nZ2dnZfqn_WdnZ2d@earthlink.com>
<20240130100834.a68d36871ff7fa2416840f62@eircom.net>
<upangq$vden$6@dont-email.me>
<upbomt$154fo$1@dont-email.me>
<WMecnVDpC8pIXCT4nZ2dnZfqn_ednZ2d@earthlink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: dont-email.me; posting-host="2bfeaeccb6a6f2ba852ef48c2bf55d06";
logging-data="1519196"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19sRdsQcYNbMvnwuX4DOWsi6JA01NyDaWU="
Cancel-Lock: sha1:IkV+WtQTFM/FlvXcccth9gb6HIw=
X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
 by: Ahem A Rivet's - Wed, 31 Jan 2024 07:47 UTC

On Tue, 30 Jan 2024 22:43:16 -0500
"68g.1499" <68g.1499@etr6.net> wrote:

> I'll still say the greatest risk is not hackers, but
> USERS. They fall for all the tricks and install evilware
> themselves.

This is standard wisdom in the security game. Simulated phishing
attacks are common in the workplace now - fall for one and get sent on a
course, report one and get congratulated. Pity about the giveaway header
they all carry.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
For forms of government let fools contest
Whate're is best administered is best - Alexander Pope

Re: It is now very nearly impossible to install a headless Pi

<20240131082630.ca9c25d313abeb6aab09111b@eircom.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9091&group=comp.sys.raspberry-pi#9091

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ste...@eircom.net (Ahem A Rivet's Shot)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 08:26:30 +0000
Organization: A noiseless patient Spider
Lines: 30
Message-ID: <20240131082630.ca9c25d313abeb6aab09111b@eircom.net>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<erfuN.258118$7sbb.232154@fx16.iad>
<eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: dont-email.me; posting-host="2bfeaeccb6a6f2ba852ef48c2bf55d06";
logging-data="1527652"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Y5nM54Pqlv+TmaiikUYRYg8bP3lO6i8s="
Cancel-Lock: sha1:HlKstZHK4lqhMPmIOOUXwlwnmm0=
X-Clacks-Overhead: "GNU Terry Pratchett"
X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.1)
 by: Ahem A Rivet's - Wed, 31 Jan 2024 08:26 UTC

On Wed, 31 Jan 2024 07:03:10 +0000
Chris Green <cl@isbd.net> wrote:

> Scott Alfter <scott@alfter.diespammersdie.us> wrote:
> > In article <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>,

> > For remote access (to a headless box or otherwise), you should be using
> > key-based authentication anyway and should disable password
> > authentication in sshd.
> >
> Why specifically?

The key phrase here is "for remote access".

> One argument against using key based authentication (in my case
> anyway) is that my home desktop and my laptop (which are the ssh
> clients) are turned on and logged-into just about all the time. Thus,

Yep the key(s) for remote access should not be the keys for local
access. Ideally they only get you onto a gateway machine from which you
access the rest by passwords or keys as you choose.

Some time back I decided this was too much hassle and set up a VPN
for outside access, now all I have to worry about are the VPN keys.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
For forms of government let fools contest
Whate're is best administered is best - Alexander Pope

Re: It is now very nearly impossible to install a headless Pi

<iGr*5FOBz@news.chiark.greenend.org.uk>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9092&group=comp.sys.raspberry-pi#9092

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.szaf.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!.POSTED.chiark.greenend.org.uk!not-for-mail
From: theom+n...@chiark.greenend.org.uk (Theo)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: 31 Jan 2024 10:24:36 +0000 (GMT)
Organization: University of Cambridge, England
Message-ID: <iGr*5FOBz@news.chiark.greenend.org.uk>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>
Injection-Info: chiark.greenend.org.uk; posting-host="chiark.greenend.org.uk:212.13.197.229";
logging-data="8997"; mail-complaints-to="abuse@chiark.greenend.org.uk"
User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (Linux/5.10.0-22-amd64 (x86_64))
Originator: theom@chiark.greenend.org.uk ([212.13.197.229])
 by: Theo - Wed, 31 Jan 2024 10:24 UTC

Chris Green <cl@isbd.net> wrote:
> Scott Alfter <scott@alfter.diespammersdie.us> wrote:
> > In article <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>,
> > 68g.1499 <68g.1499@etr6.net> wrote:
> > > On install, you CAN select 'pi' as the username and anything
> > > you want as the password. It WILL complain - but will do it
> > > if you demand. If you change passwords later there's more of
> > > a chance it will demand "minimum complexity" (that's deep in
> > > the PAM stuff).
> >
> > For remote access (to a headless box or otherwise), you should be using
> > key-based authentication anyway and should disable password authentication
> > in sshd.
> >
> Why specifically?

Keys with a passphrase cover 'something you have' as well as 'something you
know', which is two of the three factors (the other being 'something you
are', ie biometrics).

Passwords are just 'something you know', ie once the password is stolen
anyone can reuse it. For example passwords can be keylogged or phished,
while keys can't be (the phishing site doesn't get your private key and
can't replaying the transaction).

Unlike the web, SSH uses host keys to reduce the risk of phishing but do you
check the host key the first time you connect? Plus keylogging is a real
concern - there are cracked SSH daemons which record the passwords and send
them to attackers.

> One argument against using key based authentication (in my case
> anyway) is that my home desktop and my laptop (which are the ssh
> clients) are turned on and logged-into just about all the time. Thus,
> with the default log-in key used for authentication, all my remote
> systems would be accessible to someone just walking up to desktop or
> laptop.

If that is a concern, don't unlock your keys until you need to use them.
Desktop environments often run an ssh-agent to hold your keys for you so you
only need type the passphrase once per login/time period, but you can
disable that behaviour. Plus you can use different keys for different
purposes - eg a work key and a home key, so you don't unlock your work key
unless you're doing work stuff.

> I *could* generate a separate key for every remote and force it to ask
> for the key every time I log in but that adds extra hassle every time
> I add or change a remote system.

Asking for the passphrase is no more complex than asking for a password,
surely?

> Using the default (ssh password authentication) means that I have no
> extra configuration required to either default or local system **and**
> no on can casually walk up to desktop or laptop and get a login to a
> remote.

Even if you change nothing on the server end, it's still good to use keys
where you can. If you never send the password there's nothing to keylog or
phish. You could even unset your password so password auth will never
succeed. But it's only a one line change in /etc/ssh/sshd_config to disable
password auth altogether.

Theo

Re: It is now very nearly impossible to install a headless Pi

<wwvbk91pwpj.fsf@LkoBDZeT.terraraq.uk>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9093&group=comp.sys.raspberry-pi#9093

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nntp.terraraq.uk!.POSTED.tunnel.sfere.anjou.terraraq.org.uk!not-for-mail
From: inva...@invalid.invalid (Richard Kettlewell)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 11:29:44 +0000
Organization: terraraq NNTP server
Message-ID: <wwvbk91pwpj.fsf@LkoBDZeT.terraraq.uk>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<erfuN.258118$7sbb.232154@fx16.iad> <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Info: innmantic.terraraq.uk; posting-host="tunnel.sfere.anjou.terraraq.org.uk:172.17.207.6";
logging-data="51427"; mail-complaints-to="usenet@innmantic.terraraq.uk"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Cancel-Lock: sha1:ud5D2e1E7FA7U8TWbopsCAMfw8M=
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^
F<\{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5PWpga"ha
+r0NzP?vnz:e/knOY)PI-
X-Boydie: NO
 by: Richard Kettlewell - Wed, 31 Jan 2024 11:29 UTC

Chris Green <cl@isbd.net> writes:
> Scott Alfter <scott@alfter.diespammersdie.us> wrote:

>> For remote access (to a headless box or otherwise), you should be
>> using key-based authentication anyway and should disable password
>> authentication in sshd.
>
> Why specifically?
>
> One argument against using key based authentication (in my case
> anyway) is that my home desktop and my laptop (which are the ssh
> clients) are turned on and logged-into just about all the time. Thus,
> with the default log-in key used for authentication, all my remote
> systems would be accessible to someone just walking up to desktop or
> laptop.

If an attacker can just walk up to your computer and run commands on it
then they will install a keylogger and they will have any passwords you
use next time you type them.

There are things you can do about this (screen lock, full disk
encryption, etc) but your choices may depend on the nature of the
threat. e.g. a dishonest cleaner could be deterred by a screen lock, but
an abusive partner might respond with violence to any visible security
measures.

--
https://www.greenend.org.uk/rjk/

Re: It is now very nearly impossible to install a headless Pi

<20240131113826.9d12d0efbc2b0052ba70dc88@eircom.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9094&group=comp.sys.raspberry-pi#9094

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ste...@eircom.net (Ahem A Rivet's Shot)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 11:38:26 +0000
Organization: A noiseless patient Spider
Lines: 21
Message-ID: <20240131113826.9d12d0efbc2b0052ba70dc88@eircom.net>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<erfuN.258118$7sbb.232154@fx16.iad>
<eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>
<wwvbk91pwpj.fsf@LkoBDZeT.terraraq.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: dont-email.me; posting-host="2bfeaeccb6a6f2ba852ef48c2bf55d06";
logging-data="1588302"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+HPxFIUmVkSXTJgtKjDvh6XZ3aKCApfa8="
Cancel-Lock: sha1:SCOxrwYjaN9ZrDz6f0G7cL+YZ9k=
X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
 by: Ahem A Rivet's - Wed, 31 Jan 2024 11:38 UTC

On Wed, 31 Jan 2024 11:29:44 +0000
Richard Kettlewell <invalid@invalid.invalid> wrote:

> There are things you can do about this (screen lock, full disk

Screen lock really should be a minimum consideration. Easy to do
and good enough for most purposes, fingerprint unlock is convenient if
available.

> encryption, etc) but your choices may depend on the nature of the
> threat. e.g. a dishonest cleaner could be deterred by a screen lock, but
> an abusive partner might respond with violence to any visible security
> measures.

Things are serious when the threat surface includes your skin!

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
For forms of government let fools contest
Whate're is best administered is best - Alexander Pope

Re: It is now very nearly impossible to install a headless Pi

<lGr*UnPBz@news.chiark.greenend.org.uk>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9095&group=comp.sys.raspberry-pi#9095

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!rocksolid2!news.neodome.net!weretis.net!feeder8.news.weretis.net!newsfeed.xs3.de!nntp-feed.chiark.greenend.org.uk!ewrotcd!.POSTED.chiark.greenend.org.uk!not-for-mail
From: theom+n...@chiark.greenend.org.uk (Theo)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: 31 Jan 2024 13:40:11 +0000 (GMT)
Organization: University of Cambridge, England
Message-ID: <lGr*UnPBz@news.chiark.greenend.org.uk>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu> <iGr*5FOBz@news.chiark.greenend.org.uk>
Injection-Info: chiark.greenend.org.uk; posting-host="chiark.greenend.org.uk:212.13.197.229";
logging-data="4992"; mail-complaints-to="abuse@chiark.greenend.org.uk"
User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (Linux/5.10.0-22-amd64 (x86_64))
Originator: theom@chiark.greenend.org.uk ([212.13.197.229])
 by: Theo - Wed, 31 Jan 2024 13:40 UTC

Theo <theom+news@chiark.greenend.org.uk> wrote:
> Even if you change nothing on the server end, it's still good to use keys
> where you can. If you never send the password there's nothing to keylog or
> phish. You could even unset your password so password auth will never
> succeed. But it's only a one line change in /etc/ssh/sshd_config to disable
> password auth altogether.

A one liner to disable password auth, works on Ubuntu and Raspberry Pi OS:

echo "PasswordAuthentication no" | sudo tee /etc/ssh/sshd_config.d/10-passwordauth.conf ; sudo service ssh reload

Re: It is now very nearly impossible to install a headless Pi

<20240131140942.08d8bc3cc5aba7a6e644c7f3@eircom.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9096&group=comp.sys.raspberry-pi#9096

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ste...@eircom.net (Ahem A Rivet's Shot)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 14:09:42 +0000
Organization: A noiseless patient Spider
Lines: 14
Message-ID: <20240131140942.08d8bc3cc5aba7a6e644c7f3@eircom.net>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>
<pGj*4UqBz@news.chiark.greenend.org.uk>
<-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>
<erfuN.258118$7sbb.232154@fx16.iad>
<eu7p8k-cm4u1.ln1@esprimo.zbmc.eu>
<iGr*5FOBz@news.chiark.greenend.org.uk>
<lGr*UnPBz@news.chiark.greenend.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: dont-email.me; posting-host="2bfeaeccb6a6f2ba852ef48c2bf55d06";
logging-data="1651413"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX190wn/YQA2ESW1YKh4fBzwh5R3nXkI68Z8="
Cancel-Lock: sha1:iG4MKTbYCNkJ9J5QCiR5k848wf4=
X-Clacks-Overhead: "GNU Terry Pratchett"
X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.1)
 by: Ahem A Rivet's - Wed, 31 Jan 2024 14:09 UTC

On 31 Jan 2024 13:40:11 +0000 (GMT)
Theo <theom+news@chiark.greenend.org.uk> wrote:

> A one liner to disable password auth, works on Ubuntu and Raspberry Pi OS:

It will work on just about any unixish system with sshd.

> echo "PasswordAuthentication no" | sudo tee /etc/ssh/sshd_config.d/10-passwordauth.conf ; sudo service ssh reload

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
For forms of government let fools contest
Whate're is best administered is best - Alexander Pope

Re: It is now very nearly impossible to install a headless Pi

<n22q8k-2inv1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9097&group=comp.sys.raspberry-pi#9097

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 14:29:11 +0000
Lines: 45
Message-ID: <n22q8k-2inv1.ln1@esprimo.zbmc.eu>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu> <20240131082630.ca9c25d313abeb6aab09111b@eircom.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net a4u10cA+o+mdts05/g51GQdfkURtjq5KrirqNX/RXqfCFAZgw=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:jyhUP047qFHHKsvPQAFtikH/2u0= sha256:r/LwjRHOszBzmXI38kaCbG7N4CpYkcsXUePLBLwK8JY=
User-Agent: tin/2.6.2-20220130 ("Convalmore") (Linux/5.15.0-91-generic (x86_64))
 by: Chris Green - Wed, 31 Jan 2024 14:29 UTC

Ahem A Rivet's Shot <steveo@eircom.net> wrote:
> On Wed, 31 Jan 2024 07:03:10 +0000
> Chris Green <cl@isbd.net> wrote:
>
> > Scott Alfter <scott@alfter.diespammersdie.us> wrote:
> > > In article <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com>,
>
> > > For remote access (to a headless box or otherwise), you should be using
> > > key-based authentication anyway and should disable password
> > > authentication in sshd.
> > >
> > Why specifically?
>
> The key phrase here is "for remote access".
>
> > One argument against using key based authentication (in my case
> > anyway) is that my home desktop and my laptop (which are the ssh
> > clients) are turned on and logged-into just about all the time. Thus,
>
> Yep the key(s) for remote access should not be the keys for local
> access. Ideally they only get you onto a gateway machine from which you
> access the rest by passwords or keys as you choose.
>
OK, since I'm more worried about people breaking **into** my home
desktop machine rather than the security of all the remotes 'out
there' that's exactly what I do, use a gateway for access. Well,
actually two gateways so that if one fails I can still use the other.
The home firewall is set up to all ssh connections only from two IP
addresses.

All the remote systems I connect to from my home machine (or my
laptop) are of little conesequence security wise. One for example is
a Beaglebone Black monitoring the battery voltages on my boat.

> Some time back I decided this was too much hassle and set up a VPN
> for outside access, now all I have to worry about are the VPN keys.
>
I've often looked at openVpn but always decided it was far more hassle
than using ssh! :-) Admittedly I do 99% of my computing at the
command line so an ssh connection is all I ever want.

--
Chris Green
·

Re: It is now very nearly impossible to install a headless Pi

<qn2q8k-2inv1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9098&group=comp.sys.raspberry-pi#9098

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!rocksolid2!news.neodome.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 14:40:26 +0000
Lines: 40
Message-ID: <qn2q8k-2inv1.ln1@esprimo.zbmc.eu>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu> <wwvbk91pwpj.fsf@LkoBDZeT.terraraq.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net XvQ5m9TulKKMWcLXrJZLmAoK6Emk3lRNF0vudTMmOKZg6XZAs=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:E+bi3PAHcD5+SpGCEBuSrzPwHS8= sha256:iif833AjFMmxJX4HWySoZTPK7wEFSEOaPC0SN098aXY=
User-Agent: tin/2.6.2-20220130 ("Convalmore") (Linux/5.15.0-91-generic (x86_64))
 by: Chris Green - Wed, 31 Jan 2024 14:40 UTC

Richard Kettlewell <invalid@invalid.invalid> wrote:
> Chris Green <cl@isbd.net> writes:
> > Scott Alfter <scott@alfter.diespammersdie.us> wrote:
>
> >> For remote access (to a headless box or otherwise), you should be
> >> using key-based authentication anyway and should disable password
> >> authentication in sshd.
> >
> > Why specifically?
> >
> > One argument against using key based authentication (in my case
> > anyway) is that my home desktop and my laptop (which are the ssh
> > clients) are turned on and logged-into just about all the time. Thus,
> > with the default log-in key used for authentication, all my remote
> > systems would be accessible to someone just walking up to desktop or
> > laptop.
>
> If an attacker can just walk up to your computer and run commands on it
> then they will install a keylogger and they will have any passwords you
> use next time you type them.
>
That requires a knowledgeable attacker, just connection to a remote
doesn't.

> There are things you can do about this (screen lock, full disk
> encryption, etc) but your choices may depend on the nature of the
> threat. e.g. a dishonest cleaner could be deterred by a screen lock, but
> an abusive partner might respond with violence to any visible security
> measures.
>
Quite.

However this is all quite academic really. It's security the other
way about (**into** my home system) that really matters.

--
Chris Green
·

Re: It is now very nearly impossible to install a headless Pi

<mj2q8k-2inv1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=9099&group=comp.sys.raspberry-pi#9099

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!rocksolid2!news.neodome.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: It is now very nearly impossible to install a headless Pi
Date: Wed, 31 Jan 2024 14:38:14 +0000
Lines: 46
Message-ID: <mj2q8k-2inv1.ln1@esprimo.zbmc.eu>
References: <k4fd8k-d8d71.ln1@esprimo.zbmc.eu> <pGj*4UqBz@news.chiark.greenend.org.uk> <-FadnQKrpYU-sir4nZ2dnZfqnPGdnZ2d@earthlink.com> <erfuN.258118$7sbb.232154@fx16.iad> <eu7p8k-cm4u1.ln1@esprimo.zbmc.eu> <iGr*5FOBz@news.chiark.greenend.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net HlqIiguhw2qyWt6SRIK59AtBptVBbm6AQfCWqcT1gfJskm0xM=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:kT4cX70dEulbfiQbtjxz/t4ooW0= sha256:8IRiwHKy/y/4Divge4rbbrb2X89F9fzOpcIvFD0HO8E=
User-Agent: tin/2.6.2-20220130 ("Convalmore") (Linux/5.15.0-91-generic (x86_64))
 by: Chris Green - Wed, 31 Jan 2024 14:38 UTC

Theo <theom+news@chiark.greenend.org.uk> wrote:
> Chris Green <cl@isbd.net> wrote:
>
> > I *could* generate a separate key for every remote and force it to ask
> > for the key every time I log in but that adds extra hassle every time
> > I add or change a remote system.
>
> Asking for the passphrase is no more complex than asking for a password,
> surely?
>
> > Using the default (ssh password authentication) means that I have no
> > extra configuration required to either default or local system **and**
> > no on can casually walk up to desktop or laptop and get a login to a
> > remote.
>
> Even if you change nothing on the server end, it's still good to use keys
> where you can. If you never send the password there's nothing to keylog or
> phish. You could even unset your password so password auth will never
> succeed. But it's only a one line change in /etc/ssh/sshd_config to disable
> password auth altogether.
>
I don't disagreee with what you're saying but there's a load of
configuration to do it all if, as is often the case, I'm rebuilding a
Raspberry Pi for example.

"If you never send the password there's nothing to keylog or
phish" Ay? If there's a keylogger on your system it doesn't care
whether you're typing a password or a key. If it's logging what's
sent over the wire then it's encrypted.

You **have** to start with password authentication so it's inevitably
there when you start with your headless Pi. Everything more to move
to one key per remote system is extra hassle which I have to repeat
when I rebuild the Pi (which can be quite frequently, e.g. two or
three times in a week).

So generate key (OK, that's only once per physical system), copy the
key to the remote using ssh-copy-id. Then go to the remote and edit
/etc/ssh/sshd_config, then reboot and check it all works. Not a load
of work but enough to be a bit of a pain, plus I like to record
configuration changes (like the sshd_config one).

--
Chris Green
·

Pages:1234
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor