aristosv
Posts: 159
Joined: Mon Dec 08, 2014 7:47 pm

Disabling password reset

Tue Dec 09, 2014 9:29 pm

I am setting up a few raspberry pi's to play music in some shops at remote locations. I dont want anyone messing with them though.

Is there a way to prevent someone from resetting the root password on raspbian? This would be a person with physical access on the pi.

Can i disable single user mode, or any other methods of resetting the root password?

User avatar
DougieLawson
Posts: 39594
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Disabling password reset

Tue Dec 09, 2014 9:51 pm

Anyone with physical access who can pull the SDCard can compromise your machine, there's nothing you can do about that apart from mounting it in a secure cage. Even then the determined saboteur can cut the wires.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

User avatar
B.Goode
Posts: 10428
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Disabling password reset

Tue Dec 09, 2014 9:54 pm

aristosv wrote:Is there a way to prevent someone from resetting the root password on raspbian? This would be a person with physical access on the pi.

Can i disable single user mode, or any other methods of resetting the root password?
NO. (Because if someone has physical access to the RPi they can remove the SD card, manipulate the contents on another system without restraint, and then reboot your RPi with it. Game over.)

aristosv
Posts: 159
Joined: Mon Dec 08, 2014 7:47 pm

Re: Disabling password reset

Wed Dec 10, 2014 5:24 am

What if i encrypt the sd?

beta-tester
Posts: 1385
Joined: Fri Jan 04, 2013 1:57 pm
Location: de_DE

Re: Disabling password reset

Wed Dec 10, 2014 5:40 am

aristosv wrote:What if i encrypt the sd?
is the encryption key on the sd card?
i guess encryption does not fix the possibility of manipulation.


put your RPi in a locked sealed bullet proof box...
glue & seal everything removable...
add an alarm system...
add selfdestruction functionallity...
and a paint bomb... :P
{ I only give negative feedback }
RPi B (256MB), B (512MB), B+, ZeroW; 2B; 3B, 3B+; 4B (4GB)

User avatar
DougieLawson
Posts: 39594
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Disabling password reset

Wed Dec 10, 2014 9:50 am

aristosv wrote:What if i encrypt the sd?
Where do you store the key? How do you enter the key when the system is re-booted?

If I can physically access the RPi then all bets are off, encryption means that it's slightly harder but I can still steal your whole system and work on the SDCard in my own time in my own lab.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

aristosv
Posts: 159
Joined: Mon Dec 08, 2014 7:47 pm

Re: Disabling password reset

Wed Dec 10, 2014 10:14 am

I realize its a matter of time for someone with the know-how to crack the system.
So let me rephrase.

How can I make it difficult for someone to do that?

User avatar
DougieLawson
Posts: 39594
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Disabling password reset

Wed Dec 10, 2014 10:20 am

You CAN'T!
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

User avatar
B.Goode
Posts: 10428
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Disabling password reset

Wed Dec 10, 2014 10:34 am

aristosv wrote:I realize its a matter of time for someone with the know-how to crack the system.
So let me rephrase.

How can I make it difficult for someone to do that?
Isn't the clue in the replies? To make it more difficult PREVENT physical access to the system.

beta-tester
Posts: 1385
Joined: Fri Jan 04, 2013 1:57 pm
Location: de_DE

Re: Disabling password reset

Wed Dec 10, 2014 1:14 pm

an other way to "kind of protect" your work could be:
put to your SD card only a minimal system.
provide a content (media) server at your home/secure place, where only you has physical access to.
register all RPis of all shops by their hardware MAC and hardware serial number of RPi and the hardware serial number of SD and IP (IP range/trace of first shops router to the RPi) of the shops.
everything has to fit to authentication on your server.

the RPIs in the shop has to boot up into their minimal system
and then, they connect to your content server and have to authenticate by using the stored parameters (MAC/SN/IP/what ever) to get further access.
then your software (executables) will download into RAM (ramfs) of the RPis
and download/stream the content (media/videos/music/pictures) you will show.

ok, that will not protect your RPi or SD card physically,
but if they steal your SD card or RPi, they do not have the software and or media.
if they try to access to your content server, from a wrong IP location / wrong RPi / wrong SD card, your server deny access

yeah, i know, that is also big shit... but what can you do...?
{ I only give negative feedback }
RPi B (256MB), B (512MB), B+, ZeroW; 2B; 3B, 3B+; 4B (4GB)

Return to “Raspberry Pi OS”