[HN Gopher] Raspberry Pi update removes the default user
___________________________________________________________________
Raspberry Pi update removes the default user
Author : ez_mmk
Score : 55 points
Date : 2022-04-07 19:17 UTC (3 hours ago)
(HTM) web link (deepaqua.me)
(TXT) w3m dump (deepaqua.me)
| alar44 wrote:
| Good.
|
| 8ish years ago, I wrote a script to search out Pis with port 22
| opened to the internet with default un and pw. Let it run
| overnight.
|
| The next morning I checked the log and it found thousands of Pis
| that I could have just logged into with root privileges if I
| wanted.
|
| Never trust users.
| jbaczuk wrote:
| I know you logged in to some of them... :)
| alerighi wrote:
| This is good because I always ended up removing the defualt user
| and creating another or just using root.
|
| You can always mount the SD card partition and put your ssh key
| into /root to log in with that. An improvement could be to also
| load ssh key from the /boot partition so also windows/mac users
| could do that easily.
|
| By the way using root with an ssh key is fine and not a problem
| in terms of security.
| wanderer_ wrote:
| Now it's just a matter of time before I start losing installs
| because I can't remember passwords...
| MarkusWandel wrote:
| The FS is not encrypted. So just plug the SD card into another
| computer and edit the password file to replace the encrypted
| password with a null string.
| Karellen wrote:
| Wait, is this an update to the OS, or an update to the installer?
|
| If I upgrade my existing Pis, are the currently in-use `pi` users
| (which have non-default passwords) going to be removed?
|
| About half the article makes it sound like it's an OS update, but
| the other half makes it sound like an installer update, and
| there's a _big_ difference between those two scenarios.
| LeoPanthera wrote:
| This is an update to the OS image, which adds a first-run
| script prompting you to create a new user.
|
| Existing installations will not be affected.
| [deleted]
| vault wrote:
| I thought it was still April 1st
| MarkusWandel wrote:
| Well, at least the default, non-expert install of the Raspi OS
| doesn't enable ssh logins.
| londons_explore wrote:
| I'm pretty sure the law discourages default _passwords_. I don 't
| see anything wrong with default users, especially on systems
| which are usually single-user.
| batch12 wrote:
| I wonder if removing root is on the roadmap :)
| djbusby wrote:
| Which law?
|
| Oh, this:
|
| https://www.bbc.com/news/technology-59400762
| exfascist wrote:
| They should have just removed the password. Default passwords are
| braindead. Default users really aren't that bad.
|
| Fun anecdote: I used to log into people's Pis in college and show
| them that they needed to change the password. People don't react
| nicely to that.
| op00to wrote:
| At my company pre-COVID if you left your pc unlocked, you'd get
| your nickname changed in chat to a specific code word so
| everyone knew you messed up.
| jbaczuk wrote:
| prob similar to finding out you came to class without pants
| op00to wrote:
| Damn, I'm so used to googling default passwords for stuff. Now I
| gotta remember my own?
| ruined wrote:
| site is down for me but there's an archive snapshot
|
| https://archive.ph/gxhCC
| ajsnigrutin wrote:
| Wtf? So how do I install this headlessly, without needing a
| separate piece of software (imager?)?
|
| I used to just dd the image, touch the 'ssh' file on the boot
| partition, and then change stuff over ssh.
| _joel wrote:
| loopback mount and chroot into the fs, passwd. I'm sure there
| are probably easier ways though
| ajsnigrutin wrote:
| I'm not sure that the arm binary "passwd" will run on x86/_64
| _joel wrote:
| Ahh yes, there's qemu-arch64 but that's probably another
| rabbithole :)
| qbasic_forever wrote:
| QEMU and binfmt_misc should do the trick:
| https://wiki.debian.org/QemuUserEmulation
| simongr3dal wrote:
| Maybe you can pipe a username and password, or maybe an ssh
| publickey, into the ssh file and it will create that user?
|
| I wouldn't be too worried, there will likely be a solution for
| "power users" who use the ssh file.
| shakna wrote:
| > There are also mechanisms to preconfigure an image without
| using Imager. To set up a user on first boot and bypass the
| wizard completely, create a file called userconf or
| userconf.txt in the boot partition of the SD card; this is the
| part of the SD card which can be seen when it is mounted in a
| Windows or MacOS computer.
|
| > This file should contain a single line of text, consisting of
| username:encrypted- password - so your desired username,
| followed immediately by a colon, followed immediately by an
| encrypted representation of the password you want to use.
|
| > To generate the encrypted password, the easiest way is to use
| OpenSSL on a Raspberry Pi that is already running - open a
| terminal window and enter echo 'mypassword'
| | openssl passwd -6 -stdin
|
| > This will produce what looks like a string of random
| characters, which is actually an encrypted version of the
| supplied password.
|
| From the anouncement [0], under "Headless setup".
|
| [0] https://www.raspberrypi.com/news/raspberry-pi-bullseye-
| updat...
| oauea wrote:
| hashed*
| rlpb wrote:
| They've provided a mechanism to do that. Similar to the SSH
| mechanism you already know about.
| [deleted]
| qbasic_forever wrote:
| If you're running a headless setup I'd switch to Ubuntu. You
| can use cloud-init and set it all up just like a VPS.
| [deleted]
| exfascist wrote:
| What I've done for this in the past is create buildroot images
| that grabbed all the dynamic data from the first FAT partition
| (you can get it with blkid although on the Pi you can probably
| just hard code it.)
___________________________________________________________________
(page generated 2022-04-07 23:00 UTC)