[OE-core] [PATCH 2/2] base-passwd: set root's default password to 'root'

Philip Balister philip at balister.org
Thu Nov 24 14:09:07 UTC 2016


On 11/24/2016 02:46 AM, Patrick Ohly wrote:
> On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote:
>> Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky, and
>> there is no passwd, so that user can login easily without a passwd, I think
>> that current status is more unsafe ?
> 
> Both well-known password and no password are unsafe. User "root" with
> password "root" is not even "more" safe already now, because tools that
> brute-force logins try that. Choosing something else would be a bit
> safer for a short while until the tools add it to their dictionary.
> 
> Poky is also targeting a different audience than OE-core. Poky can
> assume to be used in a secure environment, OE-core can't (because it
> might be used for all kinds of devices).
> 

That is the first time I've heard Poky is targeting an audience assumed
to be running in a secure environment. Should we document what Poky this
somewhere? From where I sit, this seems to be an odd limitation.

Philip



More information about the Openembedded-core mailing list