Strawberry Pi
Posts: 1
Joined: Sun Sep 23, 2012 11:39 am

Root login without a password

Sun Sep 23, 2012 11:53 am

I just accidentally logged into my raspi as root instead of using pi/raspberry. I was surprised that I was let in without even being asked for a password! I had never changed any password, so it appears that the default password for root is empty. That's a bit too open for my taste...

I admit I'm using a fairly old version (IIRC I installed the first raspbian image that was made available on http://www.raspberrypi.org/downloads ). I haven't checked newer images. Do newer images have a default root password set? They should!

User avatar
jecxjo
Posts: 158
Joined: Sat May 19, 2012 5:22 pm
Location: Minneapolis, MN (USA)

Re: Root login without a password

Sun Sep 23, 2012 11:30 pm

No matter what distro you pick there is going to be a default password. They are all documented and would be standard practice as attempts on connecting to your Pi. Empty or default, doesn't change the fact that you should change the password at the beginning when you set yours up.
xmpp: [email protected]
Blog: http://jecxjo.motd.org/code

plugwash
Forum Moderator
Forum Moderator
Posts: 3580
Joined: Wed Dec 28, 2011 11:45 pm

Re: Root login without a password

Mon Sep 24, 2012 2:02 pm

The first version of the foundation image was setup with a blank root password rather than a locked-out root account (which I belive with the intention).

It's not TOO big a deal though because ssh doesn't allow logins to accounts with blank passwords. So they would need either physical access or to be already logged in to another account to use it. Still not an ideal situation though.

User avatar
jecxjo
Posts: 158
Joined: Sat May 19, 2012 5:22 pm
Location: Minneapolis, MN (USA)

Re: Root login without a password

Mon Sep 24, 2012 3:57 pm

I agree. I think the tutorial page needs to have a big bold section stating PLEASE CHANGE YOUR ROOT PASSWORD!!!! as one of the first steps when setting up. I'm amazed at how many devices people have posted on the forum that have default root setups. Security is only as good as their admins make it. Good thing to get new users use to good security practices.
xmpp: [email protected]
Blog: http://jecxjo.motd.org/code

User avatar
croston
Posts: 705
Joined: Sat Nov 26, 2011 12:33 pm
Location: Blackpool
Contact: Website

Re: Root login without a password

Mon Sep 24, 2012 4:03 pm

A blank root password can be a potential problem for remote attacks. All you need is to be able to log on remotely as a normal user then you can change to root by using the 'su' command. As the Pi is an educational tool, we should not be teaching bad habits.

User avatar
jojopi
Posts: 3192
Joined: Tue Oct 11, 2011 8:38 pm

Re: Root login without a password

Mon Sep 24, 2012 4:16 pm

jecxjo wrote:I think the tutorial page needs to have a big bold section stating PLEASE CHANGE YOUR ROOT PASSWORD!!!! as one of the first steps when setting up.
Most of the official images do not have the root password set. So changing it — that is, setting one — could only decrease security.
croston wrote:As the Pi is an educational tool, we should not be teaching bad habits.
It was an accident. If you have the old affected image, then lock the root password with "sudo usermod --pass='*' root".

User avatar
malakai
Posts: 1382
Joined: Sat Sep 15, 2012 10:35 am
Contact: Website

Re: Root login without a password

Mon Sep 24, 2012 4:37 pm

I didn't really see security as an issue setting this up to the outside world or using as a server for any extended period of time is a by product and not it's real intended purpose. I think the whole media server, web server section needs a big tutorial on if you open this up to the world seek professional help :lol: But really I am more concerned about corruption of USB drives and such I think it will only be time before people start posting my entire music library is gone now what do I do. I love the idea of lets see what you can do with it but as no one knows truthfully what the potential / risks of this thing is keeping it experimental is or should be their number one focus.

I am not seeing a whole lot of talk on how do I setup port forwarding on my router so ultimately they are mostly inside their own networks root or no root I think well over half are still pretty secure.
http://www.raspians.com - always looking for content feel free to ask to have it posted. Or sign up and message me to become a contributor to the site. Raspians is not affiliated with the Raspberry Pi Foundation. (RPi's + You = Raspians)

User avatar
jecxjo
Posts: 158
Joined: Sat May 19, 2012 5:22 pm
Location: Minneapolis, MN (USA)

Re: Root login without a password

Tue Sep 25, 2012 3:36 pm

malakai wrote:I didn't really see security as an issue setting this up to the outside world or using as a server for any extended period of time is a by product and not it's real intended purpose.
I've seen comments like this before and I think it can be harmful to the entire Internet community. It shouldn't matter what your situation is, good security should always be a priority. And yes, theory has its place as compared to practice but there is no harm to make security a habit rather than saying "well my hardware is never going to have access to the outside world."

If you have a desktop that has access to the outside world on your network and I gain access to it, by not apply good security practices on your other devices I have now infiltrated your other systems. Security is always about your weakest link. If the Pi is going to be used for education, why not also promote good security practices? Everyone knows "Don't open an email attachment from someone you don't know." Why not add to the common knowledge phrase book "Always put passwords on your administrator accounts" and "Passwords: change frequently, change often."
I am not seeing a whole lot of talk on how do I setup port forwarding on my router so ultimately they are mostly inside their own networks root or no root I think well over half are still pretty secure.
I'd be surprised if there wasn't a lot of Pi on the internet. Even acting as a client, such as a media server downloading info about tv shows, exploits could pop up that gain some sort of user access. Open ports on your router aren't the only way of getting into a device.
xmpp: [email protected]
Blog: http://jecxjo.motd.org/code

Return to “Raspberry Pi OS”