Site icon ivucica blog

Ubiquiti's mPower ships with ancient Dropbear 0.51 and no forced command support

Bane of all hardware products — software updates.

The exciting mPower and mPower PRO power strips that I am otherwise happy with are, even in the latest firmware version, sadly shipping with an ancient version of Dropbear. This means no command restriction in authorized_keys file.

sigh

In hopes that their firmware release engineering processes are such that swapping one Dropbear version for another will not take too much effort, I’ve opted to file a support request, upon which I was directed to post a request on the forums.

Sadly, I don’t think I could even work around this with multiuser support and putting together a .profile, given that this device is not really built for multiuser use. (That is, it seems to have one user, root, which may or may not be renamed. For example, in /etc/passwd, uid 0 on my devices is called ivucica.)

If they do, hopefully they opt for the latest release, as apparently 0.52 and later had security vulnerabilities exactly with command= restriction.


via blog.vucica.net