Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


Strengthening security for upcoming 8.3.0
#1
Information 
Hi,

This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!

It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-) 

moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.

-Tim
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#2
(02-24-2023, 02:17 PM)Tim Curtis Wrote: Hi,

This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!

It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-) 

moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.

-Tim
Good idea!

I've only ever created moOde sd-cards via dd or the chromebook recovery sd-writer thing.  Is it going to be possible to write the image that way then manually edit a file to alter the credentials?  If so, maybe that could be in the FAQ?

Also, are there any plans for the web-server to support https?  If you use a https-only extension you get nagged quite a bit!
Reply
#3
(02-24-2023, 02:24 PM)Sehnsucht Wrote:
(02-24-2023, 02:17 PM)Tim Curtis Wrote: Hi,

This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!

It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-) 

moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.

-Tim
Good idea!

I've only ever created moOde sd-cards via dd or the chromebook recovery sd-writer thing.  Is it going to be possible to write the image that way then manually edit a file to alter the credentials?  If so, maybe that could be in the FAQ?

Also, are there any plans for the web-server to support https?  If you use a https-only extension you get nagged quite a bit!

1. Part of the 8.3.0 announcement and info on security will include a link to the official Raspberry Pi guide for using the Imager and for manually setting things up. It's well written and covers all the bases.
https://www.raspberrypi.com/news/raspber...pril-2022/

2. Most of the plumbing for running moOde in https-only mode has already been added but the feature is not enabled because to work seamlessly and not generate really scary Browser security warnings there needs to be a type of https certificate that can be issued by a Globally trusted CA but for hosts on a local network. This type of cert does not yet exist.

We could use what are called self-signed certificates but then we are back to really scary Browser security warnings and so worse that the almost innocuous warnings about un-secure http.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#4
How will this fit in with the existing setup?

Will moOde 8.3.0 first take up any parameter values set by rpi-imager and ony then take up parameter values defined in /boot/moodecfg.ini if it exists (possibly overlaying some of the first by some of the second)?

ETA - There are places in the moOde code where user "pi" is baked in (e.g., grep turns up 11 instances of "/home/pi" in /var/www and below). I assume this may be fixed in some future release but in 8.3.0 we'll still need to create user "pi"...yes/no?

Regards,
Kent
Reply
#5
The only external params that are imported during moOde first boot startup are from the bare wpa_supplicant.conf file that Pi Imager generates if WiFi is checked and SSID / password are entered.

The wpa_supplicant import happens just before the Network section in startup. The import of moodecfg.ini alone or as part of a System Restore happens near the end of startup after the section named "Other" is complete and it would override anything imported from Pi Imager.

Basically if you want to use existing moodecfg.ini or System Restore files then no need to enter WiFi info in Pi imager. I'd recommend changing the default "moodeaudio" passwords in the ini file to something else thought so as to support the "strengthen security" mantra.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#6
Sounds good.

I'm probably an outlier, with several moOde players in operation and frequently spinning up one or more others to test some issue or another.

I keep a copy of moodecfg.ini preconfigured with various renderers enabled, yada yada yada, and with all name strings suitably tokenized so I can define a new player with a single sed substitution.

Regards,
Kent

PS - Temp here has fallen more than 30 degrees from yesterday's high of 80-degF and is still heading down. We might even see snow tomorrow. Weird.
Reply
#7
Mother Nature is mad at us ;-)
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#8
Stay safe and indoors you lot !!

I always run sudo raspi-config and change the username and password first after installing.

Doesn't everyone ?
----------
bob
Reply
#9
(02-25-2023, 05:46 AM)DRONE7 Wrote: Stay safe and indoors you lot !!

I always run sudo raspi-config and change the username and password first after  installing.

Doesn't everyone ?

On a music player on my internal network?  No.
Reply
#10
Me neither.

But I do like the look of the RPi Imager - hadn’t come across this before. It could make the SDCard for the kitchen streamer easier (it’s the only wireless one, and still on 7.x.x). Can I use the loader with 8.2.5, if I stick to the existing username & password?
Reply


Forum Jump: