[Q] devel-su requires remote connection enabled? Security hole? [answered]
asked 2014-03-19 01:09:28 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
I am a bit puzzled, since OS 1.0.4.20 strange things happen:
- I can ssh the Jolla while "Remote connection" is disabled.
Ok, I cannot login, however the Jolla handset sends me the password request (repeatedly – until I enable "Remote connections", then the login is accepted). I think, in previous OS versions, the Jolla device would simply not answer while "Remote connections" was switched off. - I cannot devel-su without "Remote connection" being enabled.
A password had been set previously and "Remote connection" disabled again. However, that last password is not acknowledged any longer (as it was with previous OS versions).
If my observations are correct, in my humble opinion the changes to the security system have reduced system security:
- It should not be necessary to allow for remote access while operating locally as devel-su.
For local devel-su, a rather simple password is sufficient, however while remote access is possible, I should set a password that is rather hard-to-crack. - Jolla handset should not permanently listen on the ssh port and answer contact requests. Can anybody be sure that there is no bug in the code that can be used to get access to the phone even the last password is not accepted?
