v1.354 SECURITY IMPROVEMENTS: Debian root password no longer unset/blank

jksjks
edited March 2020 in KiwiSDR Discussion
Beginning with the v1.354 release the system makes a one-time check for the Debian Linux root account having no password set. And also the demo account named "debian" having the well-known default password ("temppwd") set or, alternatively, no password set. Note: these passwords are Linux passwords and are separate and distinct from the Kiwi admin password.

If either of these situations is found then the root and/or debian account passwords are changed as follows:
  • If your Kiwi admin password has been set (i.e. not blank) then this password will be used.
  • If no Kiwi admin password has been set then the Kiwi serial number will be used (written on top of Kiwi PCB in white silkscreen box; also found on "network" tab of admin page and in the log messages).
It is now more important than ever to remember your Kiwi admin password. Please write it down someplace. If you forget your password, and the Kiwi has irreplaceable data that is not backed-up (e.g. an extensively curated dx tags list), you will have to regain Linux root access the old fashioned way: purchase a Beagle serial-to-USB cable and boot Debian in single-user mode to reset the root password. Not fun!

The exact actions taken are shown in the Kiwi log the first time v1.354, or a later version, is run. Some examples:
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: One-time check of Linux passwords..
If no further "SECURITY" messages appear then the root and debian passwords were okay and nothing was done.
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: One-time check of Linux passwords..
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: WARNING Linux "root" password is unset!
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: Setting it to Kiwi admin password
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: "root" password set returned status=0 (OK)
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: WARNING Linux "debian" account password is set to the default!
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: Setting it to Kiwi admin password
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: "debian" password set returned status=0 (OK)
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: One-time check of Linux passwords..
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: WARNING Linux "root" password is unset!
Nov 28 20:25:01 kiwisdr kiwid[12888]: 00:00:37.951 ....      SECURITY: Setting it to Kiwi serial number (because Kiwi admin password unset)
These changes are necessary because Kiwis continue to be installed such that their ssh ports are accessible from the Internet with the root accounts having no password set. This makes them vulnerable to being found and infected by Internet viruses. This can happen if the Kiwi is behind a router but the ssh port is open though the router or if the Kiwi is directly connected to the Internet with a publicly routable address.

It is possible you have intentionally made the root password unset/blank to ease administration when your ssh port is properly secured from Internet access (there are better ways to do this, see e.g. the ssh man page and the file /root/.ssh/authorized_keys). In that case this change will overwrite your unset/blank password and you will have to restore it (e.g. with "passwd -d root").
rz3dvpG0LUJHB9TMC

Comments

  • I think this has gone wrong in my KiwiSDR. I allowed it to update yesterday after a long time of storage. Since then I have not been able to access it locally even though I can see ethernet and other activity happening as usual. I have set a password for admin for access from outside. If it's waiting for a password I have no way of knowing how to enter it.

    I'm not very familiar with Linux but may have to access the Beaglebone directly unless someone has an answer to this one. Thanks.
  • jksjks
    edited December 2019
    I have set a password for admin for access from outside.
    By "outside" do you mean from Internet connections? (i.e. have you opened port 8073 on your router to allow connections to the Kiwi?) If so, what is the Kiwi's URL or what is your public ip address?

    You've tried connecting to the site "my.kiwisdr.com" with a browser on the same local network as the Kiwi and it is not found? Or doesn't respond?

    When you try connecting to the Kiwi using the method you originally used to access it you now get no response at all? When you say you "allowed it to update" were you connected to the Kiwi at the time? That is, were you able to connect to it after its long storage period? I'm trying to understand the exact sequence of events here.
  • Thanks for your help.

    Yes I was connected to it when it started the update on start-up but that was the last time it worked and I couldn't access it at all or see it on my.kiwisdr.com

    However I just went back to the system on the original memory card then allowed it to update all over again and it worked this time. So just an error occurred whilst updating.

    I've made a more recent copy now of the system on a new card for use if it happens again.

    cheers

    Tony
  • Okay. I hope it wasn't too much trouble to reenter all your configuration customizations. A very good idea to make a backup of the current setup (I wish more people would do that).
  • I recommend turning off password authentication in SSH if at all possible. In my opinion, this is the single most important thing you can do to secure ANY UNIX-like system on the Internet. Automated password-guessing attacks on SSH servers have been going on for years, and this stops them cold.

    To turn off password authentication, go into /etc/ssh/sshd_config, find the lines that say

    # Change to no to disable tunnelled clear text passwords
    #PasswordAuthentication yes

    and append
    PasswordAuthentication no

    You MUST have already generated and set up RSA authentication for every login you intend to access with SSH. The RSA public key(s) go(es) into the file ~/.ssh/authorized_keys. Test this before you disable password authentication.
    WA2ZKD
Sign In or Register to comment.