Somewhat continuing the security related discussion from here I've implemented now on the RPi image both a mandatory root passwd change on first login and also defined 'PermitRootLogin no' (recent changes here). In other words: SSH with a known default password on Raspberries is not possible any more with latest image since first step is either creating a new sudo enabled user or allowing root SSH login and then the passwd has to be changed anyway. Will then look like this:
So 2 x 'openmediavault' followed by 2 x the new password. I've seen not just one person failing with this already
Unfortunately those lazy Raspbians still do not provide a new 4.9 LTS kernel package (4.9.53 vs. 4.9.41 in their repo) so latest image shares name with one from a few weeks ago: OMV_3_0_88_RaspberryPi_2_3_4.9.41.img.xz (MD5 sum: b18007156c92dedab53df4a0898d0400)
Tested with both RPi 3 (armbianmonitor -u after Arrakis upgrade) and RPi 2 (armbianmonitor -u -- please enjoy dmesg output rebooting RPi 2 automatically after 930 seconds compared to 470 on RPi 3 before, that's the difference an 'average' SD card vs. a good Samsung can make. With a real crappy SD card the time between first boot and automatic reboot might be even much longer than 15 minutes)
Areas of testing:
- SSH login behaviour and enforced root passwd change (ok)
- wireless client establishing connection via nmtui-connect (ok)
- wireless access point for IoT slaves via armbian-config (ok)
- Upgrade to arrakis (mostly ok, the remaining issues are cosmetic)
- Functionality, performance (not tested since why should something change, I carefully modified the last image)
@ryecoaaron -- please exchange image, no other stuff needs to be updated since image name remains the same and MD5 sum is available through SF.
Wrt all the other ARM images the needed fix is upstreamed to Armbian, but I won't regenerate images now since in a few weeks a new major Armbian release is to be expected and unlike with Raspberries we already disabled root SSH login on all the current images. So only the enforced password change is missing but I think this needs no immediate action and can be postponed a few more weeks.
Proposed change: Add to each readme.txt in the 3 ARM OMV image download directories:
- If you want to login to your board with SSH create an own user
account in the web interface and add it to groups sudo and ssh.
And a final note to all moderators: If users report any sort of problem with Raspberries or other ARM devices always the first thing to ask for is output from 'armbianmonitor -u' (see example output above).