New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sshd enabled by default on the default maru account is a security risk #76

Closed
pdsouza opened this Issue May 17, 2017 · 12 comments

Comments

Projects
None yet
4 participants
@pdsouza
Member

pdsouza commented May 17, 2017

Some important concerns were raised on this HN thread about having sshd enabled on the default maru account with default password.

A quick fix for this is to disable sshd out-of-the-box, and have users explicitly enable it. This was the way Maru used to do it before background desktop start-up was introduced in v0.3: #22 (comment), #5 (comment).

Something to think about in the longer term is account management in general. Ideally we don't have a default account at all--instead, we have a welcome app on the phone that starts up on first boot, and prompts the user to set up an account and password for Maru Desktop. sshd can then be enabled after a password has been set.

Edit: updated HN thread link to point to specific comment

@pdsouza

This comment has been minimized.

Show comment
Hide comment
@pdsouza

pdsouza May 17, 2017

Member

For any users running v0.3 and up who don't want to wait for a new patched release, the fix for this is very easy to apply yourself: simply change the default password for the default maru account.

1. Change the default maru account password

If you are using Maru Desktop graphically with an HDMI display and BT keyboard/mouse or over VNC:

  1. Open up a Terminal (Applications Menu > Terminal Emulator)
  2. Type passwd maru
  3. Follow the instructions to set your new password*

Otherwise, if you are using Maru Desktop via ssh:

  1. ssh into the default maru account (ssh maru@<your-ip-address>)
  2. Type passwd
  3. Follow the instructions to set your new password*

Please remember to use a strong password!

*If you are prompted for the current password before setting your new password, the default password is "maru".

2. (OPTIONAL) Disable sshd if you don't need ssh access to your desktop

  1. Open up a Terminal (Applications Menu > Terminal Emulator) or ssh into your account
  2. Type sudo systemctl stop ssh
  3. Type sudo systemctl disable ssh
Member

pdsouza commented May 17, 2017

For any users running v0.3 and up who don't want to wait for a new patched release, the fix for this is very easy to apply yourself: simply change the default password for the default maru account.

1. Change the default maru account password

If you are using Maru Desktop graphically with an HDMI display and BT keyboard/mouse or over VNC:

  1. Open up a Terminal (Applications Menu > Terminal Emulator)
  2. Type passwd maru
  3. Follow the instructions to set your new password*

Otherwise, if you are using Maru Desktop via ssh:

  1. ssh into the default maru account (ssh maru@<your-ip-address>)
  2. Type passwd
  3. Follow the instructions to set your new password*

Please remember to use a strong password!

*If you are prompted for the current password before setting your new password, the default password is "maru".

2. (OPTIONAL) Disable sshd if you don't need ssh access to your desktop

  1. Open up a Terminal (Applications Menu > Terminal Emulator) or ssh into your account
  2. Type sudo systemctl stop ssh
  3. Type sudo systemctl disable ssh
@pdsouza

This comment has been minimized.

Show comment
Hide comment
@pdsouza

pdsouza May 22, 2017

Member

SSH services have been disabled by default in maruos/blueprints@690c3b6.

Keeping this issue open as a notice until the new release is ready.

Member

pdsouza commented May 22, 2017

SSH services have been disabled by default in maruos/blueprints@690c3b6.

Keeping this issue open as a notice until the new release is ready.

@regular

This comment has been minimized.

Show comment
Hide comment
@regular

regular May 30, 2017

How about creating a ssh key pair in the install script and copying the public key into ~maru/.ssh/authorized_keys. Password authentication can then be disabled by default (in /etc/sshd.conf) and thus having sshd on-by-default would be perfectly safe!

In order to login, the user would have to use ssh -i <private-key-file> maru@<ip>

regular commented May 30, 2017

How about creating a ssh key pair in the install script and copying the public key into ~maru/.ssh/authorized_keys. Password authentication can then be disabled by default (in /etc/sshd.conf) and thus having sshd on-by-default would be perfectly safe!

In order to login, the user would have to use ssh -i <private-key-file> maru@<ip>

@regular

This comment has been minimized.

Show comment
Hide comment
@regular

regular May 30, 2017

I do not have an external screen (yet) and now I don't know how I can enable sshd "from the outside". I guess, it must be some combination of adb shell and chroot?

regular commented May 30, 2017

I do not have an external screen (yet) and now I don't know how I can enable sshd "from the outside". I guess, it must be some combination of adb shell and chroot?

@regular

This comment has been minimized.

Show comment
Hide comment
@regular

regular May 30, 2017

I just found that (on Android) you can go to Settings > Desktop > Dashboard and that you can start the maru container from there without having a display connected. (maybe that's good candidate for the FAQ) and then, indeed, ssh works.

regular commented May 30, 2017

I just found that (on Android) you can go to Settings > Desktop > Dashboard and that you can start the maru container from there without having a display connected. (maybe that's good candidate for the FAQ) and then, indeed, ssh works.

@pdsouza

This comment has been minimized.

Show comment
Hide comment
@pdsouza

pdsouza May 31, 2017

Member

@regular Sorry for the confusion--I agree that isn't obvious. I've updated https://github.com/maruos/maruos/wiki/Tips on how to start the desktop container in the background.

Member

pdsouza commented May 31, 2017

@regular Sorry for the confusion--I agree that isn't obvious. I've updated https://github.com/maruos/maruos/wiki/Tips on how to start the desktop container in the background.

@regular

This comment has been minimized.

Show comment
Hide comment
@regular

regular May 31, 2017

Thank you @pdsouza and thank you even more for your great work here!

regular commented May 31, 2017

Thank you @pdsouza and thank you even more for your great work here!

@pdsouza

This comment has been minimized.

Show comment
Hide comment
@pdsouza

pdsouza Jun 3, 2017

Member

sshd is disabled by default in v0.4.1, please upgrade! v0.4.1 release notes (including upgrade notices) and downloads are available here: https://github.com/maruos/maruos/releases/tag/v0.4.1

Member

pdsouza commented Jun 3, 2017

sshd is disabled by default in v0.4.1, please upgrade! v0.4.1 release notes (including upgrade notices) and downloads are available here: https://github.com/maruos/maruos/releases/tag/v0.4.1

@pdsouza pdsouza closed this Jun 3, 2017

@jeff-hogan

This comment has been minimized.

Show comment
Hide comment
@jeff-hogan

jeff-hogan Feb 25, 2018

Found a solution for starting ssh without a SlimPort adapter, this worked on Nexus 7.

  1. adb shell
  2. cd /data/maru/containers/jessie/rootfs/home/maru
  3. vi .xsession
    (paste the following into .xsession)
    echo maru | sudo -S systemctl enable ssh
    echo maru | sudo -S systemctl start ssh
  4. chmod 755 .xsession
  5. chown u9_system:u9_system .xsession
  6. exit shell and start system
  7. Settings -> Desktop -> Dashboard -> On
  8. Then you can ssh in and delete .xsession

jeff-hogan commented Feb 25, 2018

Found a solution for starting ssh without a SlimPort adapter, this worked on Nexus 7.

  1. adb shell
  2. cd /data/maru/containers/jessie/rootfs/home/maru
  3. vi .xsession
    (paste the following into .xsession)
    echo maru | sudo -S systemctl enable ssh
    echo maru | sudo -S systemctl start ssh
  4. chmod 755 .xsession
  5. chown u9_system:u9_system .xsession
  6. exit shell and start system
  7. Settings -> Desktop -> Dashboard -> On
  8. Then you can ssh in and delete .xsession
@pdsouza

This comment has been minimized.

Show comment
Hide comment
@pdsouza

pdsouza Feb 26, 2018

Member

@jeff-hogan Thanks for the tip! Feel free to add to our tips wiki in case it helps others!

Member

pdsouza commented Feb 26, 2018

@jeff-hogan Thanks for the tip! Feel free to add to our tips wiki in case it helps others!

@prateek33

This comment has been minimized.

Show comment
Hide comment
@prateek33

prateek33 Mar 21, 2018

Running the command: cd /data/maru/containers/jessie/rootfs/home/maru
produces an error:
127|shell@flo:/data $ cd /data/maru/containers/jessie/rootfs/home/maru
/system/bin/sh: cd: /data/maru/containers/jessie/rootfs/home/maru: Permission denied

I tried ADB root but:
~/Downloads/maru-v0.4.1-installer-flo-mac-d23147b4$ adb root
adbd cannot run as root in production builds

Any help? Without SSH, installing MaruOS useless for me. I need the SSH access

prateek33 commented Mar 21, 2018

Running the command: cd /data/maru/containers/jessie/rootfs/home/maru
produces an error:
127|shell@flo:/data $ cd /data/maru/containers/jessie/rootfs/home/maru
/system/bin/sh: cd: /data/maru/containers/jessie/rootfs/home/maru: Permission denied

I tried ADB root but:
~/Downloads/maru-v0.4.1-installer-flo-mac-d23147b4$ adb root
adbd cannot run as root in production builds

Any help? Without SSH, installing MaruOS useless for me. I need the SSH access

@pdsouza

This comment has been minimized.

Show comment
Hide comment
@pdsouza

pdsouza Mar 27, 2018

Member

@prateek33 Ah yeah, you will need root privileges to directly access /data/maru. I believe @jeff-hogan must have rooted his build. I definitely agree that we need an easier way to enable SSH in a headless setup like yours...it would be nice to have an "Enable SSH" toggle in Settings > Dashboard that could set up SSH behind the scenes for you. No guarantees I can work on it atm but it's definitely on my TODO list -- keep an eye on #78.

Member

pdsouza commented Mar 27, 2018

@prateek33 Ah yeah, you will need root privileges to directly access /data/maru. I believe @jeff-hogan must have rooted his build. I definitely agree that we need an easier way to enable SSH in a headless setup like yours...it would be nice to have an "Enable SSH" toggle in Settings > Dashboard that could set up SSH behind the scenes for you. No guarantees I can work on it atm but it's definitely on my TODO list -- keep an eye on #78.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment