technoboi
Posts: 15
Joined: Sun Oct 02, 2011 1:40 pm

Raspbian Lite: Please have SSH enabled by default

Thu Jan 03, 2019 2:05 pm

I cannot see the logic in having to enable SSH on a headless server. It is such a faff having to connect up a monitor and keyboard to enable SSH every time I start with a new install of Raspbian Lite. It should only be necessary to connect up the ethernet and a power supply. If there is some concern that someone might log in, with a monitor connected, and not want SSH enabled, it is perfectly possible to put up a message to this effect on boot up.
So, please can we have SSH enabled by default on Raspbian Lite.

itsmedoofer
Posts: 359
Joined: Wed Sep 25, 2013 8:43 am

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 03, 2019 2:10 pm

Hi,

It was deemed a security risk, I can totally see why it was done with the distro having a default user and password.

Have a look here and you will see you can still setup headless, with a minimal amount of extra messing about...

https://www.raspberrypi.org/documentati ... eadless.md

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 03, 2019 2:14 pm

No! I think ssh by default has to be disabled.
Think about the number of beginners that don't change the password. I don't want a army of ghost Pi doing nasty stuff. I'm sure that it exist already ;-(

N.B> It is simple to add a file name "ssh" in the boot partition to enable the ssh on first boot. Then you ssh on it and do raspi-config to enable it for good.
No need to connect a keyboard and a monitor. I do it all the times.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24129
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 03, 2019 2:15 pm

technoboi wrote:
Thu Jan 03, 2019 2:05 pm
So, please can we have SSH enabled by default on Raspbian Lite.
Sorry, we disabled SSH on by default for security reasons, and we won't be turning it back on by default. See previous post for how to set up SSH headless.

Details on why here https://www.raspberrypi.org/blog/a-secu ... ian-pixel/
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

User avatar
HawaiianPi
Posts: 4857
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Raspbian Lite: Please have SSH enabled by default

Sun Jan 06, 2019 9:09 am

Yup, just add an ssh (or ssh.txt) file to the small FAT32 "boot"partition of a Raspbian imaged SD card, which is accessible on Windows and Mac computers. When Raspbian sees that file it will enable SSH and delete the file (SSH will remain enabled unless you manually disable it).

So it's very simple to enable SSH on a completely headless Pi before you even boot it. I've done it several times, as most of mine are headless. Many also had a pre-configured wpa_supplicant.conf file as well, and automatically connect to my WiFi router.

Code: Select all

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=GB

network={
	ssid="Your network SSID"
	psk="Your WPA/WPA2 security key"
	key_mgmt=WPA-PSK
}
Edit country=, ssid= and psk= with your information and save the file.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

jahboater
Posts: 4826
Joined: Wed Feb 04, 2015 6:38 pm

Re: Raspbian Lite: Please have SSH enabled by default

Sun Jan 06, 2019 10:05 am

HawaiianPi wrote:
Sun Jan 06, 2019 9:09 am
So it's very simple to enable SSH on a completely headless Pi before you even boot it.
+1
I do it routinely. If you are in /boot to change config.txt anyway, then the quickest way is simply:

>ssh

4 characters + return.
Works on Linux, MacOS, Windows 10 WSL.

User avatar
DougieLawson
Posts: 36524
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Raspbian Lite: Please have SSH enabled by default

Sun Jan 06, 2019 10:28 am

Until Raspbian switches to the Ubuntu / Mint style of setting a userid and password during the install & first boot process then you're stuck.

Having a predefined userid/password with root privileges (through sudo) and SSH enabled is a massive security hole (as we've seen in viewtopic.php?f=66&t=230019 you get about four minutes with SSH port 22 open before your machine WILL be compromised.

The solution is not the junk we've got now that warns you, that you're insecure. The only sane solution is complete removal of the insecure pi userid and ask for userid and a strong password as part of first boot.

On my systems I update the sudoers stuff to require a password. I've even gone the step further with a root password (and sudo configured to use that).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

binaryhermit
Posts: 54
Joined: Sun Apr 13, 2014 1:26 am
Location: Lockport, Illinois
Contact: Website

Re: Raspbian Lite: Please have SSH enabled by default

Mon Jan 07, 2019 11:41 pm

You don't need to become root to do malicious things, just saying.
Root just expands your options for mischief.

As others have said, ssh is staying disabled unless they go to the ubuntu style "no predefined account, set up first account on first boot" model.

User avatar
HawaiianPi
Posts: 4857
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Raspbian Lite: Please have SSH enabled by default

Tue Jan 08, 2019 9:33 am

DougieLawson wrote:
Sun Jan 06, 2019 10:28 am
Until Raspbian switches to the Ubuntu / Mint style of setting a userid and password during the install & first boot process then you're stuck.
binaryhermit wrote:
Mon Jan 07, 2019 11:41 pm
... ssh is staying disabled unless they go to the ubuntu style "no predefined account, set up first account on first boot" model.
Yes, but that would require a keyboard and screen for the initial installation, so we're back to square one.

It seems the current image file distribution may be the best solution after all.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

fbe
Posts: 537
Joined: Thu Aug 17, 2017 9:08 pm

Re: Raspbian Lite: Please have SSH enabled by default

Tue Jan 08, 2019 5:58 pm

Instead of looking for an empty ssh file a config file could be used with settings, that otherwise the initial setup would ask for.

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Tue Jan 08, 2019 8:00 pm

Yes, but that would require a keyboard and screen for the initial installation, so we're back to square one.
Not true!

When you load the O.S. image from your computer to your SDCard. It is a simple task just add a file called "ssh" in the first partition boot. The first partition is available in windows, mac os and linux.


If you have a Linux computer then you could just modify the image before writing your SDCard. This way if you have many cards to burn you need to do it only once!

1 - Download the Image
2 - Unzip the image
3- Get the first partition offset

Code: Select all

daniel@linuxserver:/usr/data/public/RaspberryPi$ sudo fdisk -l 2018-11-13-raspbian-stretch-lite.img

Disk 2018-11-13-raspbian-stretch-lite.img: 1.8 GiB, 1866465280 bytes, 3645440 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7ee80803

Device                                Boot Start     End Sectors  Size Id Type
2018-11-13-raspbian-stretch-lite.img1       8192   98045   89854 43.9M  c W95 FAT32 (LBA)
2018-11-13-raspbian-stretch-lite.img2      98304 3645439 3547136  1.7G 83 Linux
Notice the offset because you need it for step 4

4- Mount the image with loop and add the ssh file

Code: Select all

 sudo mkdir /mnt/sdcardP1
 sudo mount -o loop,offset=$(echo "8192*512"| bc) 2018-11-13-raspbian-stretch-lite.img /mnt/sdcardP1
 cd /mnt/sdcardP1
 sudo touch ssh
 
5- umount the image et voila!

Code: Select all

sudo umount /mnt/sdcardP1
sudo rmdir /mnt/sdcardP1
Now use that version to fill your SDCard! On the first boot the ssh will be available.

B.T.W. A RaspberryPi is a linux computer.
Last edited by danjperron on Tue Jan 08, 2019 11:46 pm, edited 1 time in total.

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Tue Jan 08, 2019 9:05 pm

Ok I create a single bash script to add the ssh file on the first partition image

addsshfile.sh

Code: Select all

#!/bin/bash

#create mountpartition
mkdir -p  /mnt/sdcardP1
#get partition offset
echo "$1"
typeset -i sectorOffset=`fdisk -l "$1" | awk '/img1/{print $2}'`
byteOffset=$(($sectorOffset*512))
#mount partition
mount -o loop,offset=$byteOffset $1 /mnt/sdcardP1
if [ $? -eq 0 ]; then
  touch /mnt/sdcardP1/ssh
  if [ $? -eq 0 ]; then
    echo "ssh created"
  else
    echo "unable to create file ssh in first partition"
  fi
  #unmount partition
  umount /mnt/sdcardP1
else
  echo "unable to mount file"
fi
Change the script to be executable
ssh +x addsshfile.sh
and run the file with the name of the image using sudo

Code: Select all

daniel@linuxserver:/usr/data/public/RaspberryPi$ sudo ./addsshfile.sh 2018-11-13-raspbian-stretch-lite.img
2018-11-13-raspbian-stretch-lite.img
ssh created
Then the new image will enable the ssh on the first boot.


P.S. You could use that method for your WPA settings. This way when you have a new OS just run the script once for the new image and the WPA settings will be correct when you write a new flash card.

User avatar
HawaiianPi
Posts: 4857
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Raspbian Lite: Please have SSH enabled by default

Wed Jan 09, 2019 10:42 pm

danjperron wrote:
Thu Jan 03, 2019 2:14 pm
It is simple to add a file name "ssh" in the boot partition to enable the ssh on first boot. Then you ssh on it and do raspi-config to enable it for good.
Nope, no need to use raspi-config at all. Once SSH has been enabled with the "ssh" file, it will remain enabled until you manually turn it off.

danjperron wrote:
Tue Jan 08, 2019 8:00 pm
Yes, but that would require a keyboard and screen for the initial installation, so we're back to square one.
Not true!
You really should read a post before replying to it. Your long-winded reply had nothing to do with my post that you quoted. Go back and read my post again, and this time look at the posts I quoted for context. EDIT: And see my previous reply in which I also explained the ssh file.
viewtopic.php?f=66&t=230361#p1412501
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 1:01 am

Sorry about that . I should have make two posts.

I just reply to that specific sentence that in M.O. is wrong!

The proof!

I just download ubuntu 64 bit server and copy the image into the SDcard. Once it was done I put the card into the PI3 and connect to it using ssh.

The first thing it did is to force me to change the password . (user:ubuntu password:ubuntu)
No screen and no keyboard!

viewtopic.php?f=63&t=230742#p1413395


The other part of the post was a way to modify the official image to include the ssh file directly before writing the SDCard.

User avatar
Imperf3kt
Posts: 2967
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 1:08 am

danjperron wrote:
Thu Jan 10, 2019 1:01 am
Sorry about that . I should have make two posts.

I just reply to that specific sentence that in M.O. is wrong!

The proof!

I just download ubuntu 64 bit server and copy the image into the SDcard. Once it was done I put the card into the PI3 and connect to it using ssh.

The first thing it did is to force me to change the password . (user:ubuntu password:ubuntu)
No screen and no keyboard!

viewtopic.php?f=63&t=230742#p1413395


The other part of the post was a way to modify the official image to include the ssh file directly before writing the SDCard.
That's an account already on the operating system.

What is being said is how do you make the account?

Think about it.
To make a user account, which you need to use SSH, you need one of two things: a screen and keyboard, or SSH.
Since you cannot SSH until the account is created... You have but one option left.
55:55:44:44:4C
52:4C:52:42:41

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 1:18 am

That's an account already on the operating system.

What is being said is how do you make the account?
Yes Ubuntu has the account set and force the user to change the password because it is time overdue!

This is another method to have the user change the password. Has soon that you login it will ask to change the password.

But it is not fully secure because somebody could change the password before you log into it if your Raspberry Pi is connected to the Net. It will be wise the change the password first and then connect to the internet.
Since you cannot SSH until the account is created... You have but one option left.
ubuntu account is there so it is already created. ssh works on first boot! No need for keyboard and screen!

User avatar
Imperf3kt
Posts: 2967
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 2:16 am

danjperron wrote:
Thu Jan 10, 2019 1:18 am
That's an account already on the operating system.

What is being said is how do you make the account?
Yes Ubuntu has the account set and force the user to change the password because it is time overdue!

This is another method to have the user change the password. Has soon that you login it will ask to change the password.

But it is not fully secure because somebody could change the password before you log into it if your Raspberry Pi is connected to the Net. It will be wise the change the password first and then connect to the internet.
Since you cannot SSH until the account is created... You have but one option left.
ubuntu account is there so it is already created. ssh works on first boot! No need for keyboard and screen!
Which is almost exactly how Raspbian currently works!

What was being pointed out was that if you wanted to force a user to create a new (first) account, as a better way of security, then they couldn't SSH until that account existed, which means they cannot SSH into the Pi to create it and therefore will require a keyboard and screen minimum, regardless.
Last edited by Imperf3kt on Thu Jan 10, 2019 2:19 am, edited 1 time in total.
55:55:44:44:4C
52:4C:52:42:41

User avatar
HawaiianPi
Posts: 4857
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 2:19 am

danjperron wrote:
Thu Jan 10, 2019 1:18 am
Yes Ubuntu has the account set and force the user to change the password because it is time overdue!
...
But it is not fully secure because somebody could change the password before you log into it if your Raspberry Pi is connected to the Net. It will be wise the change the password first and then connect to the internet.
And how do you do that without a keyboard and screen (in a way that's simple for beginners)?
ubuntu account is there so it is already created. ssh works on first boot! No need for keyboard and screen!
And that is a security risk, the very same security risk that Raspbian addressed by disabling SSH.

The Raspbian developers chose to eliminate this risk, and offered a simple way to turn on SSH at first boot ... which also restores the risk, but at least it's the user's choice (and you are secure if you don't need SSH).

Raspbian Stretch Desktop versions also have a startup script that changes the password before connecting to the network. They just haven't implemented that in Lite yet, probably because most beginners will start with the Desktop OS. It's not a perfect solution, but it's better than exposing beginners to possible hacking without their knowledge (which is what Ubuntu does).
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 2:58 am

And how do you do that without a keyboard and screen (in a way that's simple for beginners)?
just burn the image and plug into the PI3B.

Don't forget the first post is about headless. No keyboard and no monitor!

So the easiest way to communicate without screen or keyboard is SSH. This is what this post is about!

If you have a mac or linux computer, just type "ssh ubuntu@IP_OF_YOUR_PI" and use the password ubuntu the first time. It will automatically force you to set a new password . On a windows machine install putty.

And that is a security risk, the very same security risk that Raspbian addressed by disabling SSH.
Yes it is a risk and now it is your turn to not read completely what I posted. The risk could be minimize, like I said, by changing the password before you connect the Pi on the Internet and this using your local network via ssh. The way to block internet from your local network is up to you! From me will be to unplug the ethernet cable from the modem. But in reality if you're at home behind a router . The chances are very slim that somebody will have access to your newly ubuntu system before you log on. And since it will ask for a new password right away , it is quite secure.


Don't concentrate on unbuntu you should concentrate on the script I provide to force the ssh on the image if you don't like the way the official image prevent ssh. This could be great by adding on the script the wpa_supplicant.conf. If you have to configure 25 cards for a class then you could add the wifi setup, and the ssh file directly into the image file without the need to configure them later. Going further you could log to the linux partition, inside the image file, and change the hostname. Could be very handy if you create a lab of multiple Rapsberry PI . Mounting an image using the loop device is very powerfull.

User avatar
Imperf3kt
Posts: 2967
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 4:09 am

If you want to setup 25 cards for a class, why not setup one card, and clone it 24 times?
55:55:44:44:4C
52:4C:52:42:41

danjperron
Posts: 3419
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 4:17 am

If you want to setup 25 cards for a class, why not setup one card, and clone it 24 times?
Yes this the best option. You setup one card and you image it. Then you could use a script to change the hostname inside the image file before writing a new card. ;-)

P.S. Be sure that the initial SDCard is the smallest in memory capacity.

User avatar
HawaiianPi
Posts: 4857
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Raspbian Lite: Please have SSH enabled by default

Thu Jan 10, 2019 5:35 am

danjperron wrote:
Thu Jan 10, 2019 4:17 am
Yes this the best option. You setup one card and you image it. Then you could use a script to change the hostname inside the image file before writing a new card. ;-)
Or you could reserve a unique IP address for each computer in the local router or gateway and not have to worry about hostnames at all. Each of my Pi computers has an IP reservation, so it always has the same address, regardless of what's on the card. You set it up once and save a whole lot of hassle later. Just burn-n-boot, and if you have trouble remembering IP addresses, label them.
P.S. Be sure that the initial SDCard is the smallest in memory capacity.
The SD card copier utility in Raspbian can handle larger or smaller cards (as long as the used space is less than the card capacity). So you could clone a 32GB to an 8GB card if the source card had less than 8GB used on it. I believe Debian x86 with the Raspberry Pi Desktop has that utility as well, which should allow for faster cloning on a PC with USB 3.0. I haven't tried that yet myself (been meaning to).
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

Return to “Raspbian”