On Thu, Mar 2, 2017 at 6:56 PM Jason Kridner <[email protected]> wrote:
> On Thu, Mar 2, 2017 at 6:22 PM Kurt Talke <[email protected]> wrote: > > Hi, > > I’m wondering why logging in over ssh as root is not longer possible on > the latest BBB image. For installing embedded lab view, I need to be able > to log in as root. > > I tried changing the root password, which actually shows properly in > /etc/shadow, but I’m still unable to ssh in as root even with the new > password. Is there any way to alter this? > > > It is a basic security step. You'll need to ssh in using the debian user > (with temppwd password), then use 'sudo su -' (typing the password again). > > To alter it, as root: > sed -e "s/^PermitRootLogin without-password/PermitRootLogin yes/" -i > /etc/ssh/sshd_config > systemctl restart sshd > > Maybe we can align on a better way to install the labview service? Can an > installer be copied over to the debian user account and then installed > using 'sudo'? Is there a way to have the user provide a password? > I forgot to make the suggestion that simply using a public key might be sufficient. You'd still have to get logged in as root once, but once you copied the public key into /root/.ssh/authorized_keys, the labview host would be able to repeatedly log in without providing a password. https://www.debian.org/devel/passwordlessssh Of course, the above recommends never doing this as 'root', but it is still a lot better than allowing simple dictionary look-up passwords to the root user. > > The issue is that I've gotten fairly embarrassed about our lack of default > security. The tipping point was the analysis that security experts have > provided me regarding the DDoS attack on DNS servers back in October that > targeted IoT devices. The vulnerability was simply walking in the front > door on many of these devices, such as doing ssh as 'root' with various > default passwords and other dictionary username/password combos. Honestly, > I'm not sure that they wouldn't try debian/temppwd, but at least now sudo > will ask you a password. > > We knew this change would generate screams and you are the first one to > scream. Now we have to start working on the tradeoffs to keep your stuff > working and stop participating in botnets. > > > > > -Kurt > > -- For more options, visit http://beagleboard.org/discuss --- You received this message because you are subscribed to the Google Groups "BeagleBoard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/beagleboard/CA%2BT6QPkY2DX-3KP7uMDDXjuwWceukegGVzZF1zS53du4-G8e2A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
