Changing default Pi account name


#1

Hey everyone!

When setting up my Pi I want to change the default login on the pi itself from "Pi" to something else. The problem is that every time I do Octoprint stops working sue to it's dependency on the "Pi" user account. I plan on using my pi in a public makerspace and want to increase my security. I have followed two guides on how to do it and both have resulted in breaking Octoprint.

I am new to coding and will need a little assistance when you ask for logs etc...

Here are the two guides I tried:
First: https://www.modmypi.com/blog/how-to-change-the-default-account-username-and-password
Second: http://unixetc.co.uk/2016/01/07/how-to-rename-the-default-raspberry-pi-user/

I am using a Raspberry Pi 3 Model B v1.2 With OctoPrint version: 1.3.8 and OctoPi version: 0.15.0


#2

how does changing the username increase the security.
A good pw or sshkey only login increases security :wink:


#3

Not sure what a sshkey is. But having a universally known username is still a security risk. Ask any security professional. By changing the username someone with malicious intent now has to guess two bits of information to get in. Not just one.


#4

Not that I've ever done this before...

  • Assume that you've used the ModMyPi suggestions and have renamed the pi username to elvis
  • Do an ls -al ~/.octoprint to verify that all the files are owned by elvis with a group of elvis. (I assume that the ModMyPi suggestions didn't include creating or otherwise renaming the pi group which is also involved here.) Or leave the files as owned by elvis:pi then (username:group).
  • If this isn't the case, then I think I would try to recursively chown everything there to the new user you've created (assuming that they're still pi:pi). This goes for everything in the former-pi's home directory.
  • Edit ~/scripts/octoprint.default and update OCTOPRINT_USER.
  • Having done cd ~ verify the folder. If it's not /home/pi then many things need to change.

You might want to consider adding Access Control in the startup wizard for the sake of security. And you can use sudo raspi-config to update the default password for the pi user as well. I think this is the usual method of trying to keep it secure. Anything else as described above is going to make updating a nightmare.


#5

I tried to edit the octoprint.default file but it came up empty.

I should have posted this before, but here's my log as of now

2018-06-07 04:29:39,284 - octoprint.startup - INFO - ******************************************************************************
2018-06-07 04:29:39,285 - octoprint.startup - INFO - Starting OctoPrint 1.3.8
2018-06-07 04:29:39,285 - octoprint.startup - INFO - ******************************************************************************
2018-06-07 04:29:40,547 - octoprint.plugin.core - INFO - Loading plugins from /home/pi/oprint/lib/python2.7/site-packages/octoprint/plugins, /home/pi/.octo$
2018-06-07 04:29:42,879 - octoprint.plugin.core - INFO - Found 10 plugin(s) providing 10 mixin implementations, 4 hook handlers
2018-06-07 04:29:43,008 - octoprint.server.heartbeat - INFO - Starting server heartbeat, 900.0s interval
2018-06-07 04:29:43,085 - octoprint.server - INFO - Intermediary server started
2018-06-07 04:29:43,086 - octoprint.plugin.core - INFO - Loading plugins from /home/pi/oprint/lib/python2.7/site-packages/octoprint/plugins, /home/pi/.octo$
2018-06-07 04:29:43,692 - octoprint.plugin.core - INFO - Found 10 plugin(s) providing 10 mixin implementations, 4 hook handlers
2018-06-07 04:29:43,694 - octoprint.printer.profile - ERROR - Profile _default does not exist, creating _default again and setting it as default
2018-06-07 04:29:43,843 - octoprint.filemanager.storage - INFO - Initializing the file metadata for /home/pi/.octoprint/uploads...
2018-06-07 04:29:43,844 - octoprint.filemanager.storage - INFO - ... file metadata for /home/pi/.octoprint/uploads initialized successfully.
2018-06-07 04:29:45,927 - octoprint.util.pip - INFO - Using "/home/pi/oprint/bin/python2 -m pip" as command to invoke pip
2018-06-07 04:29:47,530 - octoprint.util.pip - INFO - Version of pip is 10.0.1
2018-06-07 04:29:47,531 - octoprint.util.pip - INFO - pip installs to /home/pi/oprint/lib/python2.7/site-packages (writable -> yes), --user flag needed -> $
2018-06-07 04:29:47,531 - octoprint.util.pip - INFO - ==> pip ok -> yes
2018-06-07 04:29:47,534 - octoprint.plugin.core - INFO - Initialized 10 plugin implementation(s)
2018-06-07 04:29:47,646 - octoprint.plugin.core - INFO - 10 plugin(s) registered with the system:
| Announcement Plugin (bundled) = /home/pi/oprint/lib/python2.7/site-packages/octoprint/plugins/announcements
| Core Wizard (bundled) = /home/pi/oprint/lib/python2.7/site-packages/octoprint/plugins/corewizard
| CuraEngine (<= 15.04) (bundled) = /home/pi/oprint/lib/python2.7/site-packages/octoprint/plugins/cura


#6

A universally known username is the least of your security risks. Changing "pi" might make you feel better, but "root" is still universally known :grin:

I think you need to understand what sshkey (or SSH Public Key Authentication) is.

While it is a bit harder to setup the first time, it can eliminate the use of usernames and passwords for login purposes and now someone with malicious intent needs to have access to NSA level super computers and some number of years to get in.

You can generate separate individual keys for anyone you want to have access so it is easy to remove someone if they should no longer have access

And best of all, I think it will be faster to learn and setup than figuring out all the changes necessary to change the default account name.


#7

There's probably something wrong with my logic here, but, it looks to me like everything is set up to run under user pi

The scripts and everything are programmed to be found under /home/pi/oprint

It seems to me that if you change the username (as in the second link posted) then when octoprint goes to look for its scripts, it won't be able to find them cuz /home/pi/oprint no longer exists

octo_in_pi


#8

Wait, I know

Do a clean install of Raspbian (NOT an octopi image) lite on a different SD card. Then change the user name as in the second link

Then, create a totally other user, and install octopi and octoprint under that new user name, and, since it gets installed under whatever user installs it, that new user will be the owner of Octoprint


#9

I can even think of a password that nobody will ever guess

password=NOTraspberry

See ? You can even TELL people the password and they'll never know you're telling them the password

Just say "Well, I can tell you that the password is not raspberry"

It'll be an inside joke


#10

Thanks for the info! I'll definitely take an in depth look at sshkey!
As for root... I noticed that by default it is deactivated in the build I am using.

Thanks again!


#11

Thanks for the idea! If I cry too much trying to get sshkey set up, I may look in to that.

Password wise... Kind of like the traditional "fourwordsalluppercase" eh? Haha!


#12

There are far better ways to secure Octo than worrying about the username. How about HTA access or VPN into your network and not let Octo touch the outside world. or even set up access to only allow certain remote IPs or ranges?

these are all better way to secure your set up...assuming you are going to have the HTTP exposed to the outside world - which is not really ideal not matter what.


#13

I use a dedicated user for OctoPrint that is even not allowed to login at all, so it doesn't need a password.
That is a common practice on Unix/Linux systems to use a dedicated user that is not able to login for daemons like mail or web servers, so why not do it for OctoPrint too?
AFAIK only some start scripts depend on the user Pi, so it is not a difficult task.


#14

I can definitively confirm that it is possible to run under a dedicated user. I have set it up like this. If you still want to do this, we need a bit more information which distribution you are using (OctoPi or Raspian or whatever) and what your setup looks like.

On the other hand as already mentioned you should take some general security considerations. The details what you want to do and what you want to allow/deny you did not state/specify. Thus it is too much guessing to make a good statement. In general I would

  • Deny all password based authentication via SSH (only private/public keys via sshkey)
  • Let the Octoprint Server run on a local network device (localhost) without access from the outside
  • Put a webserver that allows SSL-based authentication as a proxy in front of it
  • Disable any unneeded services
  • Make regular copies of the SD card image in case anything goes south

It does not look like you need security of fort Knox. But I might have guessed wrong.