plugout.net

[firwareslut]

I think having to enter the "old password" in the SSH access section of the web gui is redundant. Often, we need to reset that password because it's been forgotten.

The whole idea to somehow protect unauthorised access becomes obsolete when a simple work around is to enable SSH key and just paste in your public key into the gui. Then you can log in anyway.

I propose this option be removed. If you have access to the webgui you should be able to change root access by password if you have forgotten your login.

[Jocko]

Hi firwareslut,

Thank you for the feedback. It is an unsecure behaviour !.
As I have been able to make sure with someones, several members are lazy to change the default web-interface password whereas they open the port 443 (or worse port 80).

So based on the feedback, we will strengthen security:
- SSH server setup change (login mode, web console, add key), will be available only if it is done from the LAN (ban: remote web access or access from the nas itself: use a shell tunnel)
- change the default web-interface password, will be available only if it is done from the LAN (ban: remote web access or access from the nas itself: use a shell tunnel)
- shell web console will be locked on remote web access
- SSH server setup change, will be available only if the web-interface password is not the default one

With these rules, we can remove the field "old password"

Of course, threre is an issue on VPN access. But I assume if your VPN is not safe, you will have other additional issues...