mikey32094
Posts: 38
Joined: Sat Jul 25, 2015 10:07 am

SSH Security Warning - My Suggestion

Sat Dec 03, 2016 12:29 am

Hey all,

Just a suggestion here. I'm getting the following warning when logging into the Pi via SSH:
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
But the thing is, I've already disabled password logins and only key based logins are allowed... so ... I don't think this message is taking that into account. Just a friendly suggestion for any devs who might be hanging out.

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 2:02 am

You need to remove ('rm') the following file:

/etc/profile.d/sshpasswd.sh

I know you may be skeptical of this response and think "Oh, no!! I could never remove a file that I didn't place there - and how could I ever remove a file from the /etc directory?!?!?", but the fact remains that this is the gods-of-raspbain approved way to fix this problem.
Last edited by Martin Frezman on Sat Dec 03, 2016 9:20 am, edited 1 time in total.
If this post appears in the wrong forums category, my apologies.

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:12 am

The code on there gets even more interesting when you've disabled passwordless sudo. Which everyone should do to make their systems more secure. That's the thing the RPF folks really need to do rather than the entirely pointless disabling of ssh.

It's running

Code: Select all

sudo /bin/grep -E ^pi: /etc/shadow
to get the pi shadow password and salt then comparing that to

Code: Select all

mkpasswd -msha-512 raspberry "$SALT"
If the two match it's decided the password for pi is still set to "raspberry" and that's a security exposure. You can fix that by setting the password to any other string.

https://raw.githubusercontent.com/RPi-D ... hpasswd.sh

That shell script was removed from my eleven raspberries as soon as I discovered it.
Last edited by DougieLawson on Sat Dec 03, 2016 9:13 am, edited 1 time in total.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

achrn
Posts: 382
Joined: Wed Feb 13, 2013 1:22 pm

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:13 am

mikey32094 wrote: But the thing is, I've already disabled password logins and only key based logins are allowed... so ... I don't think this message is taking that into account.
Have you also disabled sudo for pi user? If your login protections are compromised and a user does get access as pi, will they now not have automatic root access (sudo /bin/su should do it)? More generally, I think it better to not rely on just one tier or mechansim of protection, especially when it's so trivially easy to add another layer.

What have you got against changing the password? Personally, I think even the existence of a well known login is a bad idea - I obliterate the pi user entirely as pretty much the first step when setting up a new pi (boot - expand filesystem - set hostname - reboot - add user (including setting groups and sudo) - obliterate 'pi' user is my typical sequence).

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:21 am

Having any user with passwordless sudo is an enormous risk (it's an elephant in the room). You can lift the /etc/shadow file and run it through a sha512 password cracker.

Allowing www-data to use passwordless sudo is an even bigger risk that's frequently encouraged. If www-data needs to muck about with protected resources use a client/server model like pigpio/pigpiod to pass requests and results.

The hackers have powerful computers and lots of time. If they can lift the exposed security credentials today they come back some time in the future after they've cracked them.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:34 am

It's pretty clear at this point that their first shot at addressing this issue was rather clumsy. It was probably a late-night, spur-of-the-moment we-have-to-do-something-this-is-something-we-must-do-this kind of effort.

At a minimum, the script should delete itself once it sees that you have changed the password - i.e., once you have done what it asks you to do, there's no point in it continuing to check thereafter, slowing down every single login into perpetuity. And note that since it is in the global system profile area, not the user (pi) specific profile area, it affects every user, not just the 'pi' user.

Here is a script that I wrote that I think is better than the current method. This would be wrapped in (i.e., called by) some shell code that would remove it once it had achieved its purpose. Note that the real goal is not so much to check to see if the pw is still 'raspberry', but to see if you can ssh in with that pw. This covers the various abnormal cases that people have been discussing in this and the various other threads devoted to this topic.

Code: Select all

#!/usr/bin/expect --
# Check to see if a given password grants access via ssh.
# This attempts to ssh into localhost using the current id (usually pi)

proc usage {} {
    global argv0
    puts "Usage: $argv0 \[-q] password"
    exit 2
    }

# Parse command line...
if {$argc == 0 || $argc > 2} usage
if {$argc == 2} {
    if {[lindex $argv 0] == "-q"} {
	log_user 0
	set pw [lindex $argv 1]
    } else usage
} else { set pw [lindex $argv 0] }

# Do the test (exitcode is 1 [fail] if access denied
spawn ssh -o StrictHostKeyChecking=no localhost :
expect password: ; send -- "$pw\r"
expect denied { exit 1 }
If this post appears in the wrong forums category, my apologies.

User avatar
HawaiianPi
Posts: 5207
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 1:34 pm

Martin Frezman wrote:You need to remove ('rm') the following file:

/etc/profile.d/sshpasswd.sh
There are two of them: /etc/profile.d/sshpasswd.sh and /etc/xdg/lxsession/LXDE-pi/sshpwd.sh

One for CLI/SSH and another for the GUI (although if you are running Jessie-Lite I guess you don't have to worry about the other one).

However, the powers that be have already written new scrips that fix the false positives and those will be available early next week (should execute faster too).
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 2:00 pm

However, the powers that be have already written new scrips that fix the false positives and those will be available early next week (should execute faster too).
Yes, but you should still delete them (or,better, they should delete themselves) once their job is done.
If this post appears in the wrong forums category, my apologies.

User avatar
jadro
Posts: 434
Joined: Sun Oct 02, 2016 1:20 pm
Location: Croatia

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 3:35 pm

I read all of this and ask you experts:
What do I need to do to get Security on the top level?
I have only changed the password for user Pi.
I have NGINX server with PHP and MYSQL installed and my webpage is in folder www-data? My web PHP scripts open relay from GPIO (small home automation). I connect to Raspberry from work to my home router that has port forward to ports 80, 20, 22 and 5901 for VNC and SSH. Do I need to do something special or is enought to change user Pi password (what I have done)?
Dougie, what do you mean when you say "disabled passwordless sudo"? Achrn, what you mean when you ask: "Have you also disabled sudo for pi user?" Do I disable sudo?
I am Pi user and have many stuff configured. If I change Pi user or drop it, I will lose everything.

Jadro
Oracle backend database developer
SmartHome IoT & Microprocessor enthusiast and hobbyist

achrn
Posts: 382
Joined: Wed Feb 13, 2013 1:22 pm

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 4:06 pm

jadro wrote:Achrn, what you mean when you ask: "Have you also disabled sudo for pi user?" Do I disable sudo?
I am Pi user and have many stuff configured. If I change Pi user or drop it, I will lose everything.
My sudo comment relates to a different scenario - if you keep user 'pi' with password 'raspberry', but just think you are safe because you've prevented anyone logging in with teh password, then if the do somehow get in as pi (through a configuration error or something) then they get free access to everything because having logged in, unless you've stopped pi being able to sudo, they can do anything.

Your situation, as I understand it, is different - if you have changed the password for user 'pi' you are much better off. If your pi user has a good password then you don't want to prevent that user using sudo.

I prefer to have a non-standard user name and user password, so I always create a new user and delete the 'pi' user before doing any confuguration, but once you've done a load of work on your pi, that's harder to arrange. If you really want to do it, this looks like a pretty thorough treatment: http://unixetc.co.uk/2016/01/07/how-to- ... y-pi-user/ Easier

User avatar
jadro
Posts: 434
Joined: Sun Oct 02, 2016 1:20 pm
Location: Croatia

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 8:23 pm

achrn wrote:If your pi user has a good password then you don't want to prevent that user using sudo.
But Raspberry has only 8 character for pass I think. You cannot set excelent pass with 8 letters... maybe good but not excelent...
I dont remember so good but i think that pass cannot have digits, just letters, no?
Oracle backend database developer
SmartHome IoT & Microprocessor enthusiast and hobbyist

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 8:47 pm

If you change the sudoers file from

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
to

Code: Select all

pi ALL=(ALL) PASSWD: ALL
then every use of sudo requires re-entry of the user's password to verify sudo use. It sticks for a while, then some time later you get requested to enter your password again.

That's what I mean by making sudo more secure by removing passwordless sudo.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

timrowledge
Posts: 1317
Joined: Mon Oct 29, 2012 8:12 pm
Location: Vancouver Island
Contact: Website

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:04 pm

jadro wrote: But Raspberry has only 8 character for pass I think. You cannot set excelent pass with 8 letters... maybe good but not excelent...
That would be incorrect. I mean, just think for a moment - what is the default password?
'raspberry'
How many letters does that have?
9
jadro wrote:I dont remember so good but i think that pass cannot have digits, just letters, no?
Also incorrect, as it happens. Digits and so on are accepted, indeed almost required by the really irritating 'pam' code. I've had so much fun trying to work out how to persuade it to accept passwords that I find acceptably rememberable. I don't care how insecure some annoying algorithm considers my chosen password if the alternative is to write down some insane "Ghx$^&'[email protected]" supposedly secure string because there is no hope of being able to recall it.
Refer to obligatory xkcd cartoon - http://www.xkcd.com/936/
Making Smalltalk on ARM since 1986; making your Scratch better since 2012

User avatar
Paeryn
Posts: 2808
Joined: Wed Nov 23, 2011 1:10 am
Location: Sheffield, England

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:06 pm

jadro wrote:But Raspberry has only 8 character for pass I think. You cannot set excelent pass with 8 letters... maybe good but not excelent...
I dont remember so good but i think that pass cannot have digits, just letters, no?
Where did you get that information from? As far as I know there's no real limit on the length of a password (or the limit is way longer than you could reasonably use) and you can use practically any character that you can type on a keyboard. I've used symbols in my passwords for years and they are all over 8 characters long.
She who travels light — forgot something.

User avatar
jojopi
Posts: 3141
Joined: Tue Oct 11, 2011 8:38 pm

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:16 pm

DougieLawson wrote:Having any user with passwordless sudo is an enormous risk (it's an elephant in the room).
You are kidding yourself if you think that having sudo prompt for a password is meaningfully more secure than not having it prompt.

If someone is able to run malicious commands in your account they can permanently compromise that account in a million different ways. They get root next time you run sudo or su, using a keylogger, trojan, or whatever. (If they even need root for the attack they ultimately have in mind.) It is incredibly difficult to protect against this.

You have got to keep bad people out of your boxes, and especially the accounts used by administrators, not pretend you can restrict the damage they can do if they get in.
You can lift the /etc/shadow file and run it through a sha512 password cracker. The hackers have powerful computers and lots of time.
Very confusing. If they already have root access, why do they need to crack passwords?

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:25 pm

Give www-data sudo and you give another route to get the shadow file out of the system.

Setting sudo to PASSWD rather than NOPASSWD removes some of the ways folks can shoot themselves in the foot. It's a small security improvement but it's still a security improvement whatever you might think.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
jadro
Posts: 434
Joined: Sun Oct 02, 2016 1:20 pm
Location: Croatia

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 9:37 pm

Apologies to everyone, I think I remember from where this 8 latters came from, this was when I try to set pass to TightVNC, I could not enter more than 8 letters, nor digits. That was 6 months ago... Thanx,
Jadro
Oracle backend database developer
SmartHome IoT & Microprocessor enthusiast and hobbyist

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 10:53 pm

Martin Frezman wrote:You need to remove ('rm') the following file:

/etc/profile.d/sshpasswd.sh

I know you may be skeptical of this response and think "Oh, no!! I could never remove a file that I didn't place there - and how could I ever remove a file from the /etc directory?!?!?", but the fact remains that this is the gods-of-raspbain approved way to fix this problem.
A better approach might be to remove the package owning that file, otherwise when the package gets upgraded you might find the file returns.
jadro wrote:
achrn wrote:If your pi user has a good password then you don't want to prevent that user using sudo.
But Raspberry has only 8 character for pass I think. You cannot set excelent pass with 8 letters... maybe good but not excelent...
I dont remember so good but i think that pass cannot have digits, just letters, no?
You can have letters, numbers, and at least some punctuation in a password and probably more than 8 characters, that can let you have some pretty decent passwords (as long as the attacker can't get the shadow file and just run a password cracker on it).

ps. correct horse battery staple

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH Security Warning - My Suggestion

Sat Dec 03, 2016 11:03 pm

mfa298 wrote: A better approach might be to remove the package owning that file, otherwise when the package gets upgraded you might find the file returns.
It's probably not practical to remove raspberrypi-sys-mods.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
HawaiianPi
Posts: 5207
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: SSH Security Warning - My Suggestion

Sun Dec 04, 2016 12:14 am

jadro wrote:I read all of this and ask you experts:
What do I need to do to get Security on the top level?
I have only changed the password for user Pi.
I have NGINX server with PHP and MYSQL installed and my webpage is in folder www-data? My web PHP scripts open relay from GPIO (small home automation). I connect to Raspberry from work to my home router that has port forward to ports 80, 20, 22 and 5901 for VNC and SSH. Do I need to do something special or is enought to change user Pi password (what I have done)?
Dougie, what do you mean when you say "disabled passwordless sudo"? Achrn, what you mean when you ask: "Have you also disabled sudo for pi user?" Do I disable sudo?
I am Pi user and have many stuff configured. If I change Pi user or drop it, I will lose everything.

Jadro
The fact that there is a known default user (not to mention hostname) is a security risk in itself. Changing the password for pi is better than nothing, but I'd get rid of the pi user altogether and create your own user ID, and change the default hostname while you are at it. Here are instructions I have previously posted about creating your own user account.

To create your own user account you will have to login as "pi" first. If your Raspberry Pi is connected to the Internet you should immediately change the default password and reboot before proceeding. I recommend you do this initial set-up offline for best security. Nothing that follows requires an Internet connection.

To add a new user enter,

Code: Select all

sudo adduser {username}
and follow the prompts. Replace {username} with your desired user account name (ex: sudo adduser jadro).

Next you'll want to add the new user to all the same groups as the default "pi" user.

Code: Select all

sudo usermod -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio {username}
Test with: groups pi {username} and compare the output.

Then you edit /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf to add your new user.

Code: Select all

sudo nano /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
Note that this file may not exist in the Lite version (if it doesn't exist you can skip this step).

And finally, you add your user to sudoers.

Code: Select all

sudo visudo -f /etc/sudoers.d/020_{username}-nopasswd
If you don't want to enter a password for admin level stuff, add this to the sudoers file,

Code: Select all

{username} ALL=(ALL) NOPASSWD: ALL
If you DO want to be prompted for a password,

Code: Select all

{username} ALL=(ALL:ALL) ALL
Now you'll want to logout of the pi user account and log back in as your new user, then disable or remove the default "pi" user account. I chose to disable it by creating a long, random password for the "pi" user. You can also lock the account (sudo passwd --lock pi). Or you can just delete the pi account (sudo userdel --remove --force pi).

As of this date (December 3, 2016) there is a bug in a couple of startup scripts that will warn you that the pi account still has the default password if you lock or delete the account (and SSH is enabled). This is a false positive and should be fixed in a few days (I have already tested the fix), but if anyone happens to do this before the fix is in, don't panic when you see the warning. If you have deleted the pi account you are okay. If you have changed the default pi password and locked the account, you are okay. If your system is properly secured you can safely delete these two scripts to stop the default password check and warnings: /etc/profile.d/sshpasswd.sh and /etc/xdg/lxsession/LXDE-pi/sshpwd.sh

The advantage of disabling the pi account is you can re-enable later if you want to. For best security I recommend deleting the pi account.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

User avatar
jojopi
Posts: 3141
Joined: Tue Oct 11, 2011 8:38 pm

Re: SSH Security Warning - My Suggestion

Sun Dec 04, 2016 12:16 am

mfa298 wrote:A better approach might be to remove the package owning that file, otherwise when the package gets upgraded you might find the file returns.
It is listed as a conffile in the package. If you remove the file, dpkg should respect that decision forever.

(If you merely modify the file, you may be asked what to do when the packaged version updates.)

User avatar
HawaiianPi
Posts: 5207
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: SSH Security Warning - My Suggestion

Sun Dec 04, 2016 12:30 am

HawaiianPi wrote:However, the powers that be have already written new scrips that fix the false positives and those will be available early next week (should execute faster too).
Martin Frezman wrote:Yes, but you should still delete them (or better, they should delete themselves) once their job is done.
Maybe... But if someone later changes the password back to raspberry... :P
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: SSH Security Warning - My Suggestion

Sun Dec 04, 2016 8:08 am

DougieLawson wrote:
mfa298 wrote: A better approach might be to remove the package owning that file, otherwise when the package gets upgraded you might find the file returns.
It's probably not practical to remove raspberrypi-sys-mods.
I was assuming they put that functionality in it's own package, at least if the file is listed as a conffile as has also been said it should do the right thing.
HawaiianPi wrote: The fact that there is a known default user (not to mention hostname) is a security risk in itself.
I'm not sure that a known hostname is much of a risk as such, also the raspberrypi.local name won't be visible outside the subnet.
HawaiianPi wrote: Next you'll want to add the new user to all the same groups as the default "pi" user.

Code: Select all

sudo usermod -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio {username}
Test with: groups pi {username} and compare the output.
...
If you DO want to be prompted for a password,

Code: Select all

{username} ALL=(ALL:ALL) ALL
If you add a user to the sudo group there should be no need to add any config for sudo with a password (there's already a similar rule for group sudo).

Personally I'd also look at what the various groups do and only add the user to the ones needed, my admin users (on lite) tend to start off with just adm (allows reading logs without sudo) and sudo (allows sudo to be used). If you need gpio/spi/i2c access then add in those groups for the relevant users.

User avatar
RichardUK
Posts: 235
Joined: Fri Jun 01, 2012 5:12 pm

Re: SSH Security Warning - My Suggestion

Sun Dec 04, 2016 12:31 pm

DougieLawson wrote:If you change the sudoers file from

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
to

Code: Select all

pi ALL=(ALL) PASSWD: ALL
Thanks Dougie I came here for exactly this. :)

Much better than out of date guesses on stack exchange. ;)

User avatar
RACSIT
Posts: 39
Joined: Thu Sep 08, 2016 4:37 pm
Location: Rutland, Vermont USA

Re: SSH Security Warning - My Suggestion

Tue Sep 19, 2017 8:17 pm

I know this thread is from 2016 but I am just now getting the weather station up and running. This message appeared after the reboot (from installing weather station software). I have reset the pi password. I rebooted the pi and the message went away.

From reading this thread that is not enough. I believe that what I need to do is
...change the sudoers file from

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
to

Code: Select all

pi ALL=(ALL) PASSWD: ALL
I googled how to change the sudoers file and I found that I need to:

Code: Select all

visudo
I proceeded...

Code: Select all

sudo -i
and then run the visudo. A file comes up (sudoer.tmp) warning me that the file MUST be edited with visudo command as root (which I am)

I don't see "pi ALL=(ALL) NOPASSWD: ALL" in that file so I can't 'change' it. The only uncommented lines are

Code: Select all

root    ALL=(ALL:ALL) ALL

%sudo   ALL=(ALL:ALL) ALL
Do I just add it or am I in the wrong place?

Thank you!
Thank you,
Bill

Return to “General discussion”