Password-based SSH auth w/insecure default password

[cyclone-github]

The JetKVM doc states that in order to use SSH, you must enable Developer Mode, then set up a public key since JetKVM uses key-based auth and does not allow password-based SSH auth for security reasons.
Source:
https://jetkvm.com/docs/advanced-usage/developing

However, after enabling Developer Mode, I have tested this and found that password-based auth using the default root:rockchip does in fact work without having to set up key-based auth.

See my full writeup on finding the default root password and SSH password auth below:
https://forum.hashpwn.net/post/435

[NoahDar]

Till the next update would simply changing the root password without breaking anything?

[Nevexo]

Yeah this is an issue for the system image repo really.

I suppose we could take the approach of changing the root password when the front end password is changed, but eh.

Realistically the system image should just have password auth disabled entirely.

[NoahDar]

I agree the password auth should be disabled entirely to prevent any possible way to brute force their way in. Only SSH keys should be allowed.

[cyclone-github]

The dropbear issue can be easily fixed by modifying /oem/usr/bin/dropbear.sh from dropbear -R -E to dropbear -R -E -s -g.
We can find this syscall in the KVM app jsonrpc.go which is called when enabling Developer Mode:

kvm/jsonrpc.go

Line 337 in de5403e

cmd := exec.Command("dropbear.sh")

For now, we can run the followings commands from the Web KVM Terminal to mitigate these two issues:

1. Disable dropbear password-auth and root password-auth:

• sed -i 's|dropbear -R -E|dropbear -R -E -s -g|' /oem/usr/bin/dropbear.sh

2. Change root password:

• passwd

3. Verify dropbear is running correctly (after cycling Developer Mode off/on):

• ps | grep dropbear

[chemhack]

it's now fixed in system 0.2.3. i can confirm it's no longer reproducible after the update.