[security] Radxa Debian image ships with ssh keys

so, I wanna bring this to the attention, but the debian image(and possibly others from radxa too) ship with default ssh public keys. This means every rock 5 b with a radxa image has the same public keys, which defeats the host authentication feature of ssh.
Exploit Scenario would include someone replacing your rock 5 b with a malicious one that logs passwords.

Solution: Ship the image without ssh keys, they should be generated on first boot.
Also: Force users to change user and root pw after first usage. combined with this ssh vulnerability this might mount to a huge problem in the long run!

Or just switch to Armbian where all this was made as standard feature something like 7-8 years ago.

My specific application causes instability with something from armbian. So that wouldn’t be a solution for me(or everyone). You wouldn’t switch to android from your iphone because the iphone has a security vulnerability right?

I think especially easily fixable security issues should be fixed in stead of being worked around. Apart from that, the “manual” on radxas wiki goes with debian, so that is what most users will go for not knowing about the issue(I didn’t see it until I fxcked up a migration from mSD to eMMC and had to reflash with the factory image, and it didn’t warn about changed host keys)

John, I think this is already changed, at least for some devices, what version are You using?
On early builds ssh was left with defaults and generated keys at build time,
then it was just disabled and later re-enabled to allow headless first boot, check out first boot script here:

regenerate_ssh_hostkey

This should work if You have right image, make sure about that and report back, where? I still don’t know what is best place, maybe ask @RadxaYuntian which repo is ok?

I’m currently running a build from end of march, so i figured this was still an issue. I just figured its better to bring it up and have radxa remove their host keys from the image and instead add either dpkg-reconfigure for the host keys or regenerate_ssh_hostkey as you stated. I actually dont know where to find the image version, but /proc/version states the kernel build is from february 6th, so not too outdated.

We are going to release a new image for 5B soon, which will have this issue fixed.

Are you sure?

Armbian is a build system first that generates Debian or Ubuntu based OS. There are many “Debian” builders out there and DebOS that Radxa uses is just one of many. Its certainly useful and generates some Debian like OS that you can work just fine, but … compare https://github.com/go-debos and https://github.com/armbian visually and numbers … if you don’t want to go deeper.

The problem from this topic is related to this - adjustments and fixes to userland. You found 1st of many troubles introduced by Debian or by Radxa. Ubuntu what it does? Applies many fixes here and is already several steps further, but comes with different problems which aren’t related so I won’t go into that. Armbian goes around both and applies fixes for both.

Since Armbian uses almost the same hardware interface, we maintain our own fork of Rockchip kernel for many vendors, also for Radxa products so you have a choice when they messed up something. That part is usually the only thing that can cause issues on HW level. They might hit you, but save bugs on many others … its difficult to control this complexity, especially without sufficient resources. It is strange why would you have issues here but not with factory images. But possible, already because release time is not the same.

Android and IOS are IMO way more different then Debian vs Ubuntu vs Armbian vs DebOS. Those are all very much the same. Different is package stability, security, versions, philosophy if you want. Especially when more or less same kernel is used. On standard user level, all methods works the same. When its about HW specific function, this is not tied to OS anyway, but to the hw specific tools that are tied to a very specific kernel. This from Rockchip.

Armbian is not just DebOS + this security fix.

Like most of the problems. Just quantity of problems is large and its usually easier to re-invent the wheel.

Ok, I really dont wanna argue here on whether to fix a security issue that a user could fix himself or not. Not fixing it is irresponsible either way, and there simply is no discussion about it. having the same host key on i dont know how many boards radxa sold is a huge issue that most users probably arent aware of. not fixing this invites exploits of said issue. If you are aware of an issue and can fix it, especially without breaking anything, there is no argument and/or reason not to fix it, Any attempt to argue otherwise just shows either gross negligence or stupidity.

Yes, we all agree on that.

Lets look. There are no full blown Debian / security / x services, there are no security teams or similar behind. You are looking at a custom embedded Debian like OS maintained by one (or a few) person(s). The rest comes “from upstream”. If. Providing secure and stable is very expensive and resourceful … I am not sure this is possible to provide in this segment. At least not for free.

And no body claims there is. I don’t get your angle here. There is a problem. I contribute by pointing it and a solution out. The manufacturer agrees and promises to fix it. (Thanks btw radxa) and then there’s you