from Hacker News

Raspberry Pi update removes the default user

by ez_mmk on 4/7/22, 7:17 PM with 165 comments

  • by alar44 on 4/7/22, 10:40 PM

    Good.

    8ish years ago, I wrote a script to search out Pis with port 22 opened to the internet with default un and pw. Let it run overnight.

    The next morning I checked the log and it found thousands of Pis that I could have just logged into with root privileges if I wanted.

    Never trust users.

  • by chmod775 on 4/8/22, 7:02 AM

    > In 2017, for example, hackers stole data from a US casino via an internet-connected fish tank.

    What can I possibly say to make this funnier.

  • by jdubb on 4/8/22, 10:38 AM

    Just yesterday I've been flashing Raspberry OS to a micro SD card. Not succeeding with Balena Etcher, I opted to use the RPi imager tool, which did work (which might be an issue not in any way related). After that I added the `ssh` file to the boot partition and tried connecting to it via SSH. Providing username pi and password raspberry, connecting fails with invalid password, no matter how many times I tried. Searching all over the internet for whether the password was different nowadays, but coming up with zip, frustrated, I went to bed.

    Reading this today it hits me that this change might just be the cause.

    If that turns out to be the case, there should really be some indication in the RPi imager tool.

  • by Karellen on 4/7/22, 10:45 PM

    Wait, is this an update to the OS, or an update to the installer?

    If I upgrade my existing Pis, are the currently in-use `pi` users (which have non-default passwords) going to be removed?

    About half the article makes it sound like it's an OS update, but the other half makes it sound like an installer update, and there's a big difference between those two scenarios.

  • by ajsnigrutin on 4/7/22, 10:07 PM

    Wtf? So how do I install this headlessly, without needing a separate piece of software (imager?)?

    I used to just dd the image, touch the 'ssh' file on the boot partition, and then change stuff over ssh.

  • by tzs on 4/8/22, 1:27 AM

    The BBC article that the submitted article cites says of the law requiring this:

    > Included within its scope are a range of devices, from smartphones, routers, security cameras, games consoles, home speakers and internet-enabled white goods and toys.

    > But it does not include vehicles, smart meters and medical devices. Desktop and laptop computers are also not in its remit.

    Wouldn't an RPi be considered to be a desktop computer?

  • by op00to on 4/7/22, 10:57 PM

    Damn, I’m so used to googling default passwords for stuff. Now I gotta remember my own?

  • by londons_explore on 4/7/22, 9:26 PM

    I'm pretty sure the law discourages default passwords. I don't see anything wrong with default users, especially on systems which are usually single-user.

  • by alerighi on 4/7/22, 10:41 PM

    This is good because I always ended up removing the defualt user and creating another or just using root.

    You can always mount the SD card partition and put your ssh key into /root to log in with that. An improvement could be to also load ssh key from the /boot partition so also windows/mac users could do that easily.

    By the way using root with an ssh key is fine and not a problem in terms of security.

  • by air7 on 4/8/22, 1:59 PM

    I don't know, I seem to be in the minority according to the comments here, but I like my default credentials, thank you very much. I have tons of gear laying around, some of which is collecting dust in a drawer, and if the default creds don't work I might be in a bind because I'm not organized enough to "do it right". These devices are not open on the internet, obviously, and per my threat model, anything on my local lan is deemed safe.

    More importantly perhaps, I am willing (and actually want) to have the freedom to do this, and to take responsibility for any problems I might cause for myself.

    This issue is part of a more general ethical conundrum spanning many areas of life: How much should people be protected from themselves? I guess my personal answer is, not a lot.

  • by qwerty456127 on 4/8/22, 9:11 AM

    One of the minor things I like the most about Raspbery Pi is it has the default user.

    Since the days desktop OSes (i.e. Windows 2000 Professional) first started to demand the user to name themselves and sign-in (which didn't protect their data anyway and still doesn't protect today as Windows Home doesn't include BitLocker) I hated this useless complexity. I in fact met many hundreds of PC users and just a minuscule fraction of them (also of those sharing a PC among a number of family members) used an actual multi-user set-up.

    Linux seemingly did this from the very first day because it's non-PC Unix legacy.

    Once I tried Raspberry Pi I felt a pleasant relief: it never asked (although allowed) me to personalize it and just worked. I didn't have to invent a nickname nor expose my real name. It was just a handy tool like in good old days when you didn't have to connect your oven to WiFi.

    PS: I do understand how useful the OS's multi-user mechanism is to limit what untrusted app instances can do.

  • by vorticalbox on 4/8/22, 8:16 AM

  • by MarkusWandel on 4/7/22, 10:54 PM

    Well, at least the default, non-expert install of the Raspi OS doesn't enable ssh logins.

  • by aorth on 4/8/22, 5:48 AM

    That's an interesting solution. Good luck, future Raspberry Pi users! I know this will make it a little more difficult for the less technical to get their Pi units set up.

    I can confirm that I have dozens of public Linux servers with SSH exposed and user `pi` is constantly being attempted for login. I ban them all immediately and automatically.

  • by vault on 4/7/22, 10:20 PM

    I thought it was still April 1st

  • by ruined on 4/7/22, 9:59 PM

    site is down for me but there's an archive snapshot

    https://archive.ph/gxhCC

  • by nonsince on 4/8/22, 9:24 AM

    Good, but frankly it’s pretty embarrassing for them that it took the threat of a multi-million pound fine before they made this change.

  • by gpvos on 4/8/22, 9:18 AM

  • by wanderer_ on 4/7/22, 10:44 PM

    Now it's just a matter of time before I start losing installs because I can't remember passwords...

  • by nottorp on 4/8/22, 9:55 AM

    So I can't set up a headless Pi any more without using that imager tool?

  • by amelius on 4/8/22, 11:40 AM

    Is this a law in UK only? Do EU and US have something similar?

  • by exfascist on 4/7/22, 10:57 PM

    They should have just removed the password. Default passwords are braindead. Default users really aren't that bad.

    Fun anecdote: I used to log into people's Pis in college and show them that they needed to change the password. People don't react nicely to that.

  • by jimmaswell on 4/8/22, 2:54 AM

    It feels like a continuation of the anti-self-determination trend of putting rounded corners and foam padding on everything. No passwords allowed on github, no running x program as root, make it as hard as possible to add unapproved browser extensions, etc. and now the raspberry pi has to be less convenient to set up to protect people who don't care enough to know what they're doing from themselves. I hate it.

  • by StillBored on 4/8/22, 2:38 AM

    Why does the RPi still have its own OS? The major linux distros have been doing this for years in their installers/disk images. It seems like just about every week they announce a feature that already works everywhere else. Its sorta like all the "I got a ssh server running on my Pi articles". Not at all noteworthy, except for the fact that the machine is by default quite dysfunctional.

    So it was yet another reason for the RPi foundation to stop being stupid, and just conform their firmware to SystemReady, and post their fixes upstream. All these custom hoops they keep jumping through to duplicate what every other OS/firmware already supports just speaks to bad mgmt. So, yah they are the most successful Arm sbc vendor, and this all made sense 10 years ago when none of the distro's had working arm ports and there wasn't much in the way of standard arm system architecture. Those days are long gone, and the people clinging to them are just sticking their head in the sand. Particularly since 3rd parties have basically done 3/4 of the work for them and ported a full blown UEFI/ACPI environment to the darn thing.

    So, they need to put on the big boy pants and stop playing the NIH game.