Raspberry Pi Forums

I want to be able to headless login as root and set password. So I try to
modify image of 2017-04-10-rasbian-jessie-lite.img by using
mount -v -o offset=blah blah blah

So far I've changed image as follows:

* Added empty ssh file to boot partition -- this does make ssh in possible as pi@192.168.1.whatever

* Changed /etc/passwd line for root by removing x from second field (replacing it with nothing)

* Changed /etc/ssh/sshd_config by changing these lines:
* PermitRootLogin without-password to PermitRootLogin yes
* PermitEmptyPasswords no to PermitEmptyPaswords yes

However ssh root@p192.168.1.103 still prompts for a password and say Permission denied when I enter nothing.

What more is required?

Thanks,
Britton

I think there are only two choices, login with a password or login with a key.

knute wrote:I think there are only two choices, login with a password or login with a key.

Well, one would imagine that if he did:

PermitEmptyPasswords no to PermitEmptyPaswords yes

as he says he did, that should take care of that.

I note that he did not mention editing /etc/shadow, which I think is also necessary.

Martin Frezman wrote: Well, one would imagine that if he did:

PermitEmptyPasswords no to PermitEmptyPaswords yes

as he says he did, that should take care of that.

I note that he did not mention editing /etc/shadow, which I think is also necessary.

Edit the * out of /etc/shadow for root's entry and you can log into the Pi without a password but you can't log in with ssh without one even if you set PermitEmptyPasswords yes. So I think he needs to use a key if he wants to login without entering a password.

"PermitEmptyPasswords yes" will not be effective unless you also change nullok_secure to nullok in /etc/pam.d/common-auth.

Of course, logging in using a key is actually less typing than even an empty password, and it does not require you first to defeat four different system security defaults.

Using root routinely is not a good idea, for many of the same reasons that prefixing every command with sudo is not. It will not allow you to pretend that Raspbian is not a multi-user system. Paradoxically it may make you struggle a lot more with security a lot sooner, yet you will not meaningfully be able to claim any Linux skills on your resumé.

jojopi wrote:"PermitEmptyPasswords yes" will not be effective unless you also change nullok_secure to nullok in /etc/pam.d/common-auth.

That did it thanks!

jojopi wrote:"
Of course, logging in using a key is actually less typing than even an empty password, and it does not require you first to defeat four different system security defaults.

Using root routinely is not a good idea, for many of the same reasons that prefixing every command with sudo is not. It will not allow you to pretend that Raspbian is not a multi-user system. Paradoxically it may make you struggle a lot more with security a lot sooner, yet you will not meaningfully be able to claim any Linux skills on your resumé.

I guess a key could be installed on the image as well, so I could login as root from my devel laptop, that's probably not a bad idea. But I'm coming from beaglebone and I want to maintain most of my setup there, where what I do is first login root then
run configuration scripts (including lockdown) from the system itself. Ending up with four separate security systems preventing this (well, 3 systems, 4 settings) seems like a sign of questionable design, particularly in the security sphere where more complexity usually leads to less security. Resume is not an issue for me, as I'm already independent

bkerin wrote: I guess a key could be installed on the image as well, so I could login as root from my devel laptop, that's probably not a bad idea. But I'm coming from beaglebone and I want to maintain most of my setup there, where what I do is first login root then
run configuration scripts (including lockdown) from the system itself. Ending up with four separate security systems preventing this (well, 3 systems, 4 settings) seems like a sign of questionable design, particularly in the security sphere where more complexity usually leads to less security. Resume is not an issue for me, as I'm already independent

This seems like a very backwards way to secure your system (removing all security possible first).

If the issue is that you don't want to type in a password initially when running your config scripts then setting up key login is probably the best. For initial setup you might also want to look at the sshpass tool (this lets you use password based ssh from a script). There's also ssh-copy-id which helps automate copying over your ssh key onto a remote system.