+- Moode Forum (https://moodeaudio.org/forum)
+-- Forum: moOde audio player (https://moodeaudio.org/forum/forumdisplay.php?fid=3)
+--- Forum: Support (https://moodeaudio.org/forum/forumdisplay.php?fid=7)
+--- Thread: Strengthening security for upcoming 8.3.0 (/showthread.php?tid=5398)
Strengthening security for upcoming 8.3.0 - Tim Curtis - 02-24-2023
Hi,
This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!
It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-)
moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.
-Tim
RE: Strengthening security for upcoming 8.3.0 - Sehnsucht - 02-24-2023
(02-24-2023, 02:17 PM)Tim Curtis Wrote: Hi,Good idea!
This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!
It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-)
moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.
-Tim
I've only ever created moOde sd-cards via dd or the chromebook recovery sd-writer thing. Is it going to be possible to write the image that way then manually edit a file to alter the credentials? If so, maybe that could be in the FAQ?
Also, are there any plans for the web-server to support https? If you use a https-only extension you get nagged quite a bit!
RE: Strengthening security for upcoming 8.3.0 - Tim Curtis - 02-24-2023
(02-24-2023, 02:24 PM)Sehnsucht Wrote:(02-24-2023, 02:17 PM)Tim Curtis Wrote: Hi,Good idea!
This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!
It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-)
moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.
-Tim
I've only ever created moOde sd-cards via dd or the chromebook recovery sd-writer thing. Is it going to be possible to write the image that way then manually edit a file to alter the credentials? If so, maybe that could be in the FAQ?
Also, are there any plans for the web-server to support https? If you use a https-only extension you get nagged quite a bit!
1. Part of the 8.3.0 announcement and info on security will include a link to the official Raspberry Pi guide for using the Imager and for manually setting things up. It's well written and covers all the bases.
https://www.raspberrypi.com/news/raspberry-pi-bullseye-update-april-2022/
2. Most of the plumbing for running moOde in https-only mode has already been added but the feature is not enabled because to work seamlessly and not generate really scary Browser security warnings there needs to be a type of https certificate that can be issued by a Globally trusted CA but for hosts on a local network. This type of cert does not yet exist.
We could use what are called self-signed certificates but then we are back to really scary Browser security warnings and so worse that the almost innocuous warnings about un-secure http.
RE: Strengthening security for upcoming 8.3.0 - TheOldPresbyope - 02-24-2023
How will this fit in with the existing setup?
Will moOde 8.3.0 first take up any parameter values set by rpi-imager and ony then take up parameter values defined in /boot/moodecfg.ini if it exists (possibly overlaying some of the first by some of the second)?
ETA - There are places in the moOde code where user "pi" is baked in (e.g., grep turns up 11 instances of "/home/pi" in /var/www and below). I assume this may be fixed in some future release but in 8.3.0 we'll still need to create user "pi"...yes/no?
Regards,
Kent
RE: Strengthening security for upcoming 8.3.0 - Tim Curtis - 02-24-2023
The only external params that are imported during moOde first boot startup are from the bare wpa_supplicant.conf file that Pi Imager generates if WiFi is checked and SSID / password are entered.
The wpa_supplicant import happens just before the Network section in startup. The import of moodecfg.ini alone or as part of a System Restore happens near the end of startup after the section named "Other" is complete and it would override anything imported from Pi Imager.
Basically if you want to use existing moodecfg.ini or System Restore files then no need to enter WiFi info in Pi imager. I'd recommend changing the default "moodeaudio" passwords in the ini file to something else thought so as to support the "strengthen security" mantra.
RE: Strengthening security for upcoming 8.3.0 - TheOldPresbyope - 02-24-2023
Sounds good.
I'm probably an outlier, with several moOde players in operation and frequently spinning up one or more others to test some issue or another.
I keep a copy of moodecfg.ini preconfigured with various renderers enabled, yada yada yada, and with all name strings suitably tokenized so I can define a new player with a single sed substitution.
Regards,
Kent
PS - Temp here has fallen more than 30 degrees from yesterday's high of 80-degF and is still heading down. We might even see snow tomorrow. Weird.
RE: Strengthening security for upcoming 8.3.0 - Tim Curtis - 02-24-2023
Mother Nature is mad at us ;-)
RE: Strengthening security for upcoming 8.3.0 - DRONE7 - 02-25-2023
Stay safe and indoors you lot !!
I always run sudo raspi-config and change the username and password first after installing.
Doesn't everyone ?
RE: Strengthening security for upcoming 8.3.0 - Sehnsucht - 02-25-2023
(02-25-2023, 05:46 AM)DRONE7 Wrote: Stay safe and indoors you lot !!
I always run sudo raspi-config and change the username and password first after installing.
Doesn't everyone ?
On a music player on my internal network? No.
RE: Strengthening security for upcoming 8.3.0 - suzywong - 02-26-2023
Me neither.
But I do like the look of the RPi Imager - hadn’t come across this before. It could make the SDCard for the kitchen streamer easier (it’s the only wireless one, and still on 7.x.x). Can I use the loader with 8.2.5, if I stick to the existing username & password?