Page 1 of 1

Disabling password reset

Posted: Tue Dec 09, 2014 9:29 pm
by aristosv
I am setting up a few raspberry pi's to play music in some shops at remote locations. I dont want anyone messing with them though.

Is there a way to prevent someone from resetting the root password on raspbian? This would be a person with physical access on the pi.

Can i disable single user mode, or any other methods of resetting the root password?

Re: Disabling password reset

Posted: Tue Dec 09, 2014 9:51 pm
by DougieLawson
Anyone with physical access who can pull the SDCard can compromise your machine, there's nothing you can do about that apart from mounting it in a secure cage. Even then the determined saboteur can cut the wires.

Re: Disabling password reset

Posted: Tue Dec 09, 2014 9:54 pm
by B.Goode
aristosv wrote:Is there a way to prevent someone from resetting the root password on raspbian? This would be a person with physical access on the pi.

Can i disable single user mode, or any other methods of resetting the root password?
NO. (Because if someone has physical access to the RPi they can remove the SD card, manipulate the contents on another system without restraint, and then reboot your RPi with it. Game over.)

Re: Disabling password reset

Posted: Wed Dec 10, 2014 5:24 am
by aristosv
What if i encrypt the sd?

Re: Disabling password reset

Posted: Wed Dec 10, 2014 5:40 am
by beta-tester
aristosv wrote:What if i encrypt the sd?
is the encryption key on the sd card?
i guess encryption does not fix the possibility of manipulation.


put your RPi in a locked sealed bullet proof box...
glue & seal everything removable...
add an alarm system...
add selfdestruction functionallity...
and a paint bomb... :P

Re: Disabling password reset

Posted: Wed Dec 10, 2014 9:50 am
by DougieLawson
aristosv wrote:What if i encrypt the sd?
Where do you store the key? How do you enter the key when the system is re-booted?

If I can physically access the RPi then all bets are off, encryption means that it's slightly harder but I can still steal your whole system and work on the SDCard in my own time in my own lab.

Re: Disabling password reset

Posted: Wed Dec 10, 2014 10:14 am
by aristosv
I realize its a matter of time for someone with the know-how to crack the system.
So let me rephrase.

How can I make it difficult for someone to do that?

Re: Disabling password reset

Posted: Wed Dec 10, 2014 10:20 am
by DougieLawson
You CAN'T!

Re: Disabling password reset

Posted: Wed Dec 10, 2014 10:34 am
by B.Goode
aristosv wrote:I realize its a matter of time for someone with the know-how to crack the system.
So let me rephrase.

How can I make it difficult for someone to do that?
Isn't the clue in the replies? To make it more difficult PREVENT physical access to the system.

Re: Disabling password reset

Posted: Wed Dec 10, 2014 1:14 pm
by beta-tester
an other way to "kind of protect" your work could be:
put to your SD card only a minimal system.
provide a content (media) server at your home/secure place, where only you has physical access to.
register all RPis of all shops by their hardware MAC and hardware serial number of RPi and the hardware serial number of SD and IP (IP range/trace of first shops router to the RPi) of the shops.
everything has to fit to authentication on your server.

the RPIs in the shop has to boot up into their minimal system
and then, they connect to your content server and have to authenticate by using the stored parameters (MAC/SN/IP/what ever) to get further access.
then your software (executables) will download into RAM (ramfs) of the RPis
and download/stream the content (media/videos/music/pictures) you will show.

ok, that will not protect your RPi or SD card physically,
but if they steal your SD card or RPi, they do not have the software and or media.
if they try to access to your content server, from a wrong IP location / wrong RPi / wrong SD card, your server deny access

yeah, i know, that is also big shit... but what can you do...?