News How to Disable the Annoying SSH Password Warning on Raspberry Pi

bit_user

Splendid
Ambassador
if ... you're not allowing SSH access from outside your local network, maybe you'd prefer the convenience of sticking with the default password so you won't forget what to enter as you move from card to card and Pi to Pi.
That's a false sense of security. There have been Wi Fi router hacks, infecting them with malware that tries access other devices on the network. Alternatively, some other device or computer on your LAN could get infected with malware, that could also try to access devices on your LAN.

If you want to use the same password on all your local machines, that's potentially okay. Just don't use the default one, and better to make it reasonably strong.

@apiltch , this is really a bad article. A better one would be "Why You Should Change the Default Password on your Devices".
 
Reactions: BertalanD
Aug 3, 2020
1
1
15
0
To add to @bit_user's remarks, if an attacker manages to get into your pi and run arbitrary code, with the default password, they now have root access. They can run echo 'raspberry' | sudo -S sh that launches a root shell, which they can use to do all the nasty things they can imagine.

Setting all of the devices to the same password is still more secure than not setting a password at all.

@apiltch: the point about the inconvenience of SSH passwords is valid. You should look up SSH keys and write an article about them. They are more secure than passwords, since they can have 512 bytes of entropy instead of the typical password length of 12-20 characters. The amount of variations in a RSA-4096 key is way more than the number of atoms in the entire universe; not to mention the post-quantum level ECC keys. Please don't teach users how to be lazy and shoot themselves in the foot.
 
Reactions: bit_user

XaveT

Distinguished
Jul 15, 2013
205
6
18,765
27
I have to disagree in this case. It is NOT our job as power users to withhold information because it might hurt people who use it wrong, especially when it's their stuff and they (at least pretend) to understand the risks. It's our job to share what we know and trust people not to be idiots. The majority will be, but that's not your/our call.

Easiest way to do this is to actually remove the package that does the check.

sudo apt remove libpam-chksshpwd

does it correctly, and without editing stuff manually.
 

bit_user

Splendid
Ambassador
I have to disagree in this case. It is NOT our job as power users to withhold information because it might hurt people who use it wrong,
What's this about withholding information? This is not some non-public information the author was privy to, that the public wouldn't otherwise have access to. Your suggestion of withholding is either misguided or misdirection.

The issue is about multiple approaches to solving a problem. The advice given in the article, and the logic upon which it rests, is quite simply flawed.

It's like an automobile publication running an article about how to shut off your "fasten seatbelt warning". There is some information that is quite simply negligent to publish, because the logical consequence of doing so is that readers will be exposing themselves to harm.

It's our job to share what we know and trust people not to be idiots.
You have to think about the audience and understand the difference between ignorance and idiocy. There's an aspect of recklessness in idiocy, whereas an ignorant person simply doesn't know any better. An article like this will have readership with a significant number of noobs, and if the article claims that what it's prescribing is safe to do, many of them will believe it.

The majority will be, but that's not your/our call.
Just to be clear, on whose behalf are you speaking?

And as surely as it's the site's right to publish, it's my right to call editorial judgement into question. Not necessarily in their forums... but I could certainly take my criticism onto to other social media platforms.
 
Reactions: BertalanD

ASK THE COMMUNITY

TRENDING THREADS