User avatar
B.Goode
Posts: 8227
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

New Raspbian release "2016-11-25"

Tue Nov 29, 2016 7:45 pm

From: http://downloads.raspberrypi.org/raspbi ... _notes.txt
2016-11-25:
* SSH disabled by default; can be enabled by creating a file with name "ssh" in boot partition
Heads up to the usual volunteer advisors: that's a change from the long-standing previous configuration, and will render a lot of existing tutorials and posting out of date at a stroke.

User avatar
FTrevorGowen
Forum Moderator
Forum Moderator
Posts: 5048
Joined: Mon Mar 04, 2013 6:12 pm
Location: Bristol, U.K.
Contact: Website

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 7:52 pm

B.Goode wrote:From: http://downloads.raspberrypi.org/raspbi ... _notes.txt
2016-11-25:
* SSH disabled by default; can be enabled by creating a file with name "ssh" in boot partition
Heads up to the usual volunteer advisors: that's a change from the long-standing previous configuration, and will render a lot of existing tutorials and posting out of date at a stroke.
Thanks for that - duly noted, looks like I need to "burn" a fresh image, and, perhaps, check what happens with a "dist-upgrade". (No time tonight, tomorrow, maybe)
Trev.
Still running Raspbian Jessie on some older Pi's (an A, B1, B2, B+, P2B, 3xP0, P0W) but Stretch on my 2xP3A+, P3B+, P3B, B+, A+ and a B2. See: https://www.cpmspectrepi.uk/raspberry_pi/raspiidx.htm

User avatar
DougieLawson
Posts: 35784
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:13 pm

What collections of morons decided that was a good idea? How brain dead is that?
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5854
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:19 pm

DougieLawson wrote:What collections of morons decided that was a good idea? How brain dead is that?
100% Simon's idea.

(not really)

EdwinJ85
Posts: 269
Joined: Wed Feb 01, 2012 4:44 pm
Contact: Website

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:28 pm

SSH being disabled by default will make some of my projects a little more tricky :(
Hello!

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5854
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:30 pm

EdwinJ85 wrote:SSH being disabled by default will be a pain for my projects :(
Before you insert the card into the pi, create the 'ssh' file on the boot partition and it should only be a minor inconvenience.

User avatar
bensimmo
Posts: 4152
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:40 pm

If the benefit is a bit of security, why not run a script at start to tell the user to change the Pi password as well. That would probably be better ?

Does this alter the NOOBS release too?
If so is there an option in the NOOBS install to enable it during initial setup?


EDIT :oops:
Prompt for password change at boot when SSH enabled with default password unchanged
:lol:

Should that not also be put into Raspi-config (easy password change)?

User avatar
B.Goode
Posts: 8227
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:53 pm

After some further thought while serving and eating an evening meal..

I have jumped to the assumption that it is the sshd listener/daemon that is being referred to. But that's not what the Release Notes actually say.

If it is the ssh server that is being referred to then at first sight it certainly complicates the process of bringing up a 'headless' Raspbian RPi for the first time. Perhaps the developer/maintainer of the blocks gui PiBakery could be persuaded to add this option to his SD card creation tool?

Presumably the tyrant Security lies behind this. But that would mean that a very large number of RPi's are being brought up on networks that are either directly exposed to the Internet, or on networks that are otherwise deemed to be 'hostile'. And maybe there is a reputational damage limitation aspect: it would not look good for large numbers of RPi systems to be implicated in some future ddos outage or similar. (Compare with the cameras and iot devices exploited in the recent mirai incident.)

And in keeping with the education remit, an early lesson that sometimes convenience becomes the victim of the ill intent of the Bad Guys.
Last edited by B.Goode on Tue Nov 29, 2016 8:55 pm, edited 1 time in total.

User avatar
bstrobl
Posts: 97
Joined: Wed Jun 04, 2014 8:31 pm
Location: Germany

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:54 pm

This does not disable ssh on current installs, right? Can't have my SSH access disappearing on my colocated server :(.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5854
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:57 pm

Only new installs are affected.

The change is in the new lite and full images, as well as NOOBS.

EdwinJ85
Posts: 269
Joined: Wed Feb 01, 2012 4:44 pm
Contact: Website

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 8:59 pm

ShiftPlusOne wrote:
EdwinJ85 wrote:SSH being disabled by default will be a pain for my projects :(
Before you insert the card into the pi, create the 'ssh' file on the boot partition and it should only be a minor inconvenience.
I know, it's just an inconvenience really.
Hello!

jahboater
Posts: 4597
Joined: Wed Feb 04, 2015 6:38 pm

Re: New Raspbian release "2016-11-25"

Tue Nov 29, 2016 9:19 pm

Worked fine for me.
I do most of the configuration before I even put the SD card in the Pi, so its just a case of ">ssh" to create the file after I have fixed config.txt.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:31 pm

This might be more than an inconvenience: Together with
http://downloads.raspberrypi.org/raspbian/release_notes.txt wrote:Prompt for password change at boot when SSH enabled with default password unchanged
this could prevent headless setups completely - or am I missing something?

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5854
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:35 pm

dasmanul wrote:This might be more than an inconvenience: Together with
http://downloads.raspberrypi.org/raspbian/release_notes.txt wrote:Prompt for password change at boot when SSH enabled with default password unchanged
this could prevent headless setups completely - or am I missing something?
I don't follow how it would prevent headless setups.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 375
Joined: Fri Dec 26, 2014 11:02 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:38 pm

DougieLawson wrote:What collections of morons decided that was a good idea? How brain dead is that?
The engineering team at Pi Towers - so thanks very much for the vote of confidence in our collective competence...

There will be a blog post along shortly to explain. I eagerly await the polite and well-reasoned comments which will doubtless ensue.

Tinderbox (UK)
Posts: 53
Joined: Sat Oct 08, 2016 8:56 pm
Location: England, United Kingdom

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:40 pm

Did they fix the problem of the bluetooth re-enabling itself after a reboot.

John.
Raspberry Pi 3 Model B

User avatar
B.Goode
Posts: 8227
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:40 pm

If it is headless, where does the prompt to change the password get presented at boot time? If it hasn't been seen and dealt with in the absence of a directly connected display, does that block subsequent ssh login attempts?

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 375
Joined: Fri Dec 26, 2014 11:02 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:41 pm

B.Goode wrote:If it is headless, where does the prompt to change the password get presented at boot time? If it hasn't been seen and dealt with in the absence of a directly connected display, does that block subsequent ssh login attempts?
It's a message on the CLI, not a prompt - it's only a prompt on the GUI. It doesn't prevent login.
Last edited by spl23 on Wed Nov 30, 2016 12:41 pm, edited 1 time in total.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 375
Joined: Fri Dec 26, 2014 11:02 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:41 pm

Tinderbox (UK) wrote:Did they fix the problem of the bluetooth re-enabling itself after a reboot.

John.
That was fixed a while ago - the fix has been in apt for several weeks.

PhilE
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2303
Joined: Mon Sep 29, 2014 1:07 pm
Location: Cambridge

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:45 pm

DougieLawson wrote:What collections of morons decided that was a good idea? How brain dead is that?
I was one of the collection, and I stand behind the decision. We have a responsibility to protect our users, and the combination of a known password and an open SSH port is an accident waiting to happen. The majority of Pi users won't even know what SSH is, so disabling it by default is reasonable - can you think of another OS for non-Power Users which enables SSH by default? With a fixed password?

excors
Posts: 19
Joined: Thu Nov 17, 2016 9:30 pm

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:48 pm

B.Goode wrote:that would mean that a very large number of RPi's are being brought up on networks that are either directly exposed to the Internet, or on networks that are otherwise deemed to be 'hostile'.
There certainly seem to be a lot connected to public IP addresses - Shodan lists about 25K of them. No idea how many still have the default password (I'm not going to try connecting to them since that's quite possibly breaking some laws), but I'd be surprised if it was zero.

gkreidl
Posts: 6041
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:52 pm

PhilE wrote:
DougieLawson wrote:What collections of morons decided that was a good idea? How brain dead is that?
I was one of the collection, and I stand behind the decision. We have a responsibility to protect our users, and the combination of a known password and an open SSH port is an accident waiting to happen. The majority of Pi users won't even know what SSH is, so disabling it by default is reasonable - can you think of another OS for non-Power Users which enables SSH by default? With a fixed password?
Thousands of tutorials and blog articles on the web are now obsolete.
As long as the default sudoers setting doesn't require a password for sudo Raspbian is not secure at all by default.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5854
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:55 pm

gkreidl wrote:
PhilE wrote:
DougieLawson wrote:What collections of morons decided that was a good idea? How brain dead is that?
I was one of the collection, and I stand behind the decision. We have a responsibility to protect our users, and the combination of a known password and an open SSH port is an accident waiting to happen. The majority of Pi users won't even know what SSH is, so disabling it by default is reasonable - can you think of another OS for non-Power Users which enables SSH by default? With a fixed password?
Thousands of tutorials and blog articles on the web are now obsolete.
As long as the default sudoers setting doesn't require a password for sudo Raspbian is not secure at all by default.
Nor does it claim to be, but now you need physical access.

PhilE
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2303
Joined: Mon Sep 29, 2014 1:07 pm
Location: Cambridge

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 12:59 pm

Thousands of tutorials and blog articles on the web are now obsolete.
No, but they will require an update.
As long as the default sudoers setting doesn't require a password for sudo Raspbian is not secure at all by default.
Yes, and the filing system is unencrypted, and booting into single user mode gets you root access - horror!

If you have physical access to many computers you can do pretty much anything. You can't run sudo without a shell, and disabling ssh prevents 99.99999% of Pi users from getting a shell on your Pi.

I trust some people with a key to my house, but I still close and lock the door when I go out.

User avatar
B.Goode
Posts: 8227
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:03 pm

It's an old and tatty carol sheet I am singing from, but to repeat a couple of points I have made before but thus far without being heard.

1. Easily referenced documentation - more than a collection of potentially unrelated points swept up into a blog post - would make it easier to refer forum users to solutions when they ask "What broke my system?" Having that documentation available when a new OS release is made, rather than some time later, would be good.

2. There is a relatively small number of regular volunteer helpers who contribute advice in these forums. Maybe no more than a couple of dozen. Would it be so painful for the RPF to take that group of users into their confidence, on an NDA basis if needed, when changes that impact user experience/expectations are being considered, to get their polite and well considered feedback before release not after.

Return to “Raspbian”