Default password

[hellfi]

Hi!

With SSH opened up, I think one of those should be done (sorted by my preference):

• disabling password authentication for SSH via imagebuilder.sh
• generating unique passwd entry via imagebuilder.sh
• adding a note to the readme to use passwd after rooting (as if anyone would read/act on it)

[dgiese]

There are 2 things: I would not like to have more IoT devices with a default password. I know most people.... they never change the password :)
Also the password is overwritten while the update process. There are two alternatives:

• using adbd: so you can connect over "adb shell"
• creating a new user in the image with sudoers rights

[hellfi]

I was referring to the "default" password found in /var/shadow after upgrade/gaining access:
root:$6$2akWMpeG$.DgVvbzMaThL.FXcfv2QLtqqDHEMiYQevVOYHcbdJPEf.noSXROXWw57RJfOjJY kDcg1u0ut5RkvAxaUYyjdd/:17594:0:99999:7:::
I don't remember changing or setting it in the first place.. is it unique?

[florolf]

The updater derives the root password from the (unique-per-device and not derived from anything else, as far as I can tell) /mnt/default/vinda file by XORing each byte with 0x37. If vinda contains CDSQ[VBQ][VP[VPV, for example, the root password would be

$ perl -e 'print(join("", (map { chr(ord($_) ^ 0x37) } split(//, $ARGV[0]))), "\n");' 'CDSQ[VBQ][VP[VPV'
tsdflaufjlaglaga

HTH