
A security update for the Raspberry Pi - alexellisuk
https://www.raspberrypi.org/blog/a-security-update-for-raspbian-pixel/
======
jcriddle4
I wonder if instead they could setup a fake or jailed SSH that would let you
login, it would then display helpful info about how to really enable SSH and
then it would kick you out?

~~~
aexaey
You don't even need a jail for that. Just add those lines to the end of
/etc/ssh/sshd_config:

    
    
      Match User pi
            AcceptEnv
            ForceCommand echo 'To enable SSH, do this and that'
    

EDIT: added an explicit empty "AcceptEnv".

~~~
tinus_hn
Allowing untrusted users to run programs is a recipe for disaster.
Forcecommand runs its commands using a login shell that gets a lot of
information from the connecting user. It wouldn't be the first time someone
found an obscure environment variable that turns this into a remote shell.

------
aq3cn
TL;DR

> put a file called ssh in the /boot/ directory with any content to enable SSH
> which we turned off by default to prevent unauthorized access of your devise
> in public network.

I wonder how many people are going to scratch their head when their headless
Raspberry Pi will be unable to connect to their laptop in same way as earlier
without this piece of information.

I hope running sudo apt-get update, notifies them of this critical change.

~~~
alexellisuk
Yes this ruins just about every Pi from scratch tutorial. The worst part is if
this affects the "lite" distro which is headless. The beauty of using an image
like Raspbian Lite was being able to flash, ssh (ip via DHCP), change
password/hostname and done.

~~~
Declanomous
If you can flash an sd card you can turn on SSH with the new method. All my
Pi's are headless, and this is a mild inconvenience at best. Way less
inconvenient than the internet falling apart because users don't know anything
about security.

~~~
alexellisuk
New method is what? I sometimes mount the Linux partition if I'm flashing from
a Linux PC to edit hostname etc but this is extra hassle especially if using a
Mac.

~~~
Declanomous
You add a file named ssh to the boot directory. This permanently enables SSH.
The boot partition is fat formatted and can be edited on basically any device
as a result. It's right in the linked article.

------
jepler
A great enhancement would be: if this file (/boot/ssh) is not empty, and
~root/.ssh/authorized_keys doesn't exist, then copy the file there and set up
key-only ssh access.

~~~
VLM
Another great enhancement is a lot of ethernet speaking hardware ships with a
sticker or something containing the MAC address but not the pi.

If the PI shipped with a little sticker containing the MAC address that would
be quite trivial to change the username and password to the mac address as
seen by /sbin/ifconfig which optimistically matches the physical sticker.

Of course there aren't many possible MAC addresses however, there are more
than just one.

Another entertaining idea is if you're on a private network that can't access
8.8.8.8 or whatever then assume its safe to enable ssh by default.

Or if some sort of "what is my ip address" service returns a public ip addrs
that matches /sbin/ifconfig then here be dragons and disable ssh by default.

Another fun idea is when you boot the first time sshd is enabled for.... a
little while, and then blocked after some time or a power cycle. Some crontabs
support a syntax like @reboot sleep 300 && block_ssh.sh where block_ssh
engages a iptables rule that eats incoming ssh port packets. Or whatever time
period feels right. So if you're on a public network and worried, simply boot
and don't plug in for 6 minutes or whatever, and you're good. Or if you want
ssh then you boot, and fast as possible log in via ssh and enable it. For the
extra paranoid note its not hard with a script to ensure you get 5 minutes of
working ssh only once per burning of the flash image, assuming your flash
isn't in write protect mode LOL.

OH edited to add my favorite new idea, if you boot and GPIO port #something is
pulled to ground, then enable SSH going forward. Sure would be nice if that
GPIO pin were adjacent to gnd pin. Maybe you could code in something that
flashes onboard LEDs to provide feedback.

~~~
mercora
OpenWrt does it somewhat like described. If booted unconfigured you can ssh
into it as root without any password. The web interface asks for a new one as
the first thing to do. I would like it if they would do the same via ssh so
you immediately know someone had access before you.

I think it is the best solution because it makes you immediately notice that
you might not actually want anybody to login without any password at all. And
any other method has worse trade offs.

------
molecule
Though the actual article title and URL state "For Raspbian Pixel" the author
replies in the comments that this also applies to Raspbian Jessie Lite.

[https://www.raspberrypi.org/blog/a-security-update-for-
raspb...](https://www.raspberrypi.org/blog/a-security-update-for-raspbian-
pixel/#comment-1265956)

------
frio
I had a wee wonder whether this could in itself be exploitable -- whether some
other compromise could end up dropping a file in /boot/ssh and then waiting
for a reboot to enable persistence. I guess by that point, however, you've
_probably_ already lost so that threat model likely doesn't matter.

I'm interested in whether this will make a meaningful difference, however. It
probably would have been nicer if Raspbian required users to put a root
password into /boot/password or similar, and then deleted _that_ file on boot
-- or mandated that users change their password on first login. My concern
with this is that I suspect most tinkerers will press the "make it work"
button, drop /boot/ssh in, and never bother changing the password.

------
tym0
Isn't it a bit overkill? it's not like you can access them from the internet
if they're on the local network. No?

~~~
krylon
If you have a Pi (or several) on a private network, say, behind a NAT router,
there should be no problem either way.

I guess a sufficient number of people have put Pis on the Internet, or the
recent wave of IoT-DDOS attacks has spooked the Raspberry people sufficiently
to make this change.

~~~
alexellisuk
It feels like a pre-emptive precaution.. I'm sure most people running a Pi at
home have no way for their SSHD port to be exposed and if they do set up NAT
port forwarding they should look into how to make that more secure.

------
jefurii
So this is why my RPi is no longer responding to SSH?

~~~
foobarchu
No, it's not. This applies only to the images, it's not being pushed out. This
only matters if you download and flash a new image to your pi.

