KVMD 1.83: Security fix for the V2 platform
After a little discussion, I decided to disable OTG Serial Console for security reasons.
The option otg.acm.enabled now is false by default. Additionally, the new OS build environment does not perform the steps for setting up the console.
It is important to note that if you set a strong password on your Pi-KVM, this problem is not so significant. Attackers will not be able to exploit it from the outside. However, I want to provide the most secure default settings. I'm sorry about this mess. This feature was very useful for development and users of ZeroW devices that don't have Ethernet, but it's not good enough for general installations.
-
To disable this feature permanently on older Pi-KVMs, follow the instructions above (the
override.yamlwill not need to be edited after KVMD is updated). -
If you have an old Pi-KVM installation and you want to continue using this feature, use
override.yamland set optionotg.acm.enabledtotrue. -
To enable this feature for the v2 platform again in the build environment, add to the
config.mkthis line:STAGES ?= __init__ os pikvm-repo watchdog ro no-audit pikvm pikvm-otg-console ssh-keygen __cleanup__
As a new feature, you can disable VNC TLS if you need compatibility with strange VNC clients. Use /etc/kvmd/override.yaml for this (remove {} before):
vnc:
server:
tls:
ciphers: ""
To update:
rw
pacman -Syu
reboot