TU BRAUNSCHWEIG
| Carl Friedrich Gauß Faculty | Department of Computer Science
Informatikzentrum

preppi - Preparing Raspberry Pis

AuthorFrank Steinberg
KeywordsRaspberryPi Pi Raspi SSH

Default Raspian Images have a standard password "raspberry". Once SSH access is enabled and the device is connected to the IBR network, various potentially unknown people may login and do arbitrary bad things. This has to be avoided as good and soon as possible.

An IBR daemon continously tries to identify such fresh devices and secure them by modifying their password and configuring SSH access based on public keys of users which are allowed to access the device. Configuration is taken from the IBR LDAP.

First, you may have to identify your Pi:

$ ibr-preppi

Most recent Pi DHCPDISCOVER activity:

15:42:31 b8:27:eb:c1:dc:9f 10.1.2.112     testbedpi-room112 (yschroed)
15:49:40 b8:27:eb:7a:6a:7a 10.1.2.16      infodisplay01 (gernert)
15:50:03 b8:27:eb:69:91:74 10.1.4.95      (unknown, suggested name: pi-9174)
15:51:01 b8:27:eb:fd:55:c4 10.1.4.92      (unknown, suggested name: pi-55c4)

First, you should identify your Pi from the list above. If your device
does not yet exist in LDAP, you should create it using dirac(1), but in
most cases new Pis get registered in LDAP automatically. If it does exist
and you are not yet its supervisor, you may become the supervisor:

  dirac "host pi-XXXX ; set ibrSupervisorDn `whoami`"

Then you may optionally grant other users SSH access:

  dirac "host pi-XXXX ; add ibrOperatorDn username"

Users' public SSH keys must be stored in LDAP or in the common places in
their home directories. Upon the next reboot of your SSH-enabled fresh
Pi, preppi should (re)configure it, so that the standard password no
longer works and the authorized IBR users are able to login as user "pi".

Read https://www.ibr.cs.tu-bs.de/kb/preppi.html for more information.

    

  • First, you may have to identify your Pi:
    $ ibr-preppi
    
    Most recent Pi DHCPDISCOVER activity:
    
    15:28:44 b8:27:eb:2d:25:d3 10.1.2.6       iz105-control (yschroed)
    15:42:31 b8:27:eb:c1:dc:9f 10.1.2.112     testbedpi-room112 (yschroed)
    15:50:03 b8:27:eb:69:91:74 10.1.4.95      (unknown, suggested name: pi-9174)
    
  • If your device is not yet known in LDAP, you should create it using dirac(1):
    $ dirac
    dirac - IBR directory access tool (0.1, 2019-07-02)
            https://gitlab.ibr.cs.tu-bs.de/steinb/dirac
    [1] IBR:IBRUser steinb > hosts
    [2] IBR: 195 IBRHosts > create
    Hostname: pi-9174
    MAC address: b8:27:eb:69:91:74
    Initial expire date (YYYY-MM-DD) [2019-08-01]: 
    Supervisor username (must be a member of mitarb) [steinb]: 
  • Otherwise, if your device is known in LDAP, you may have to become the Supervisor first. Staff members are able to "steal" ownership from fellows:
    [2] IBR:IBRHost pi-55c4 > set ibrSupervisorDn pullwitt
  • Please use the hostname scheme "pi-aabb" based on the right-most two bytes of the Pi's MAC address. This will allow us to identify Pis more easily in the future.
  • In order to have more human-friendly names, you may assign host aliases in dirac:
    [3] IBR:IBRHost pi-55c4 > set ibrHostnameAlias dishwasher
    But please, always use names specific to your project.
  • When you want other users to be able to login to the device, you may add their usernames to the list of operators:
    [4] IBR:IBRHost pi-55c4 > add ibrOperatorDn y0000009
    For this to work properly, the users' public SSH key(s) must be stored to their LDAP record or saved to their home directory in the common place. Of course, you may also remove previous users using the remove command.
  • Afterwards, upon the next reboot of your SSH-enabled fresh or "pre-preppi'ed" Pi, preppi should (re)configure it, so that the standard password no works and the intended users are allowed to login as user "pi" without a password:
    $ ssh pi@pi-55c4
    
    This RaspberryPi host has been secured by IBR preppi.
    See https://www.ibr.cs.tu-bs.de/kb/preppi.html.
    
    Linux raspberrypi 4.19.57+ #1244 Thu Jul 4 18:42:50 BST 2019 armv6l
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Thu Jul 18 11:31:16 2019 from 134.169.35.174
    pi@raspberrypi:~ $ 
  • If you modify the password on your flash device before booting the Pi, of course, preppi cannot and will not change anything.
  • We do not yet care about Pi Wifi interfaces.
  • We do not yet care about non-Debian-like Pi distributions.
  • We do not yet care about other MAC address prefixes but b8:27:eb: and dc:a6:32:.

last changed 2019-08-19, 13:58 by Frank Steinberg
printemailtop