System authentication
Omniflux opened this issue · 3 comments
Add a daemon option (maybe make default?) to ignore the username and or password in the initial setup and always fall into an interactive system login. No need to store plaintext password anymore.
https://community.ubnt.com/t5/airMAX-AC-Beta/mac-telnet-server-questions/m-p/2115279
Ugh. You have to be a member for the Beta forums apparently.
Synopsis is:
- Complaint that service doesn't just use system passwords
- Explanation why
- Should modify protocol to use system passwords instead
- Reasons why that is less than ideal
- Possible solution is to add non standard secure authentication method to daemon and client
Will be good for everyone except those who want to connect to daemon from Router OS - This solution which I realized is actually not a good solution because it would require passing the password over the wire in plain text instead of storing on server in plain text.
In another thread at Ubiquity forums, they know about this fork of MAC-Telnet that adds ssh support on top of mactelnet. And it is a nice workaround if you want security, but don't need to telnet from RouterOS devices or their tools. (https://github.com/aouyar/MAC-Telnet)
But I am unsure of the benefits of that except for mndp discovery. Since you could just ssh to the box directly, using ipv6 local ip's (fe80). And if you only know the mac-address, you could just calculate the ipv6 ip using a tool. I feel this would be less "hacky" solution, than adding encryption on top of mactelnet, and thus making it incompatible with RouterOS tools.
On ubiquity devices you already have a "discover" tool, so the one benefit of mndp is also not there.
And as you said yourself. The solution of just ignoring authentication and doing interactive login from the server is kind of worse. Since you actually send your password in plain text over the network. Which is worse than how mactelnet does it's own authentication. (which only sends a hash)