moodeaudio.org > Moode Forum moOde audio player Support v
Strengthening security for upcoming 8.3.0

Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


Thread Modes
Strengthening security for upcoming 8.3.0
Tim Curtis Offline
moOde audio founder
******
Posts: 13,357
Threads: 302
Joined: Mar 2018
Reputation: 538
#3
02-24-2023, 02:45 PM
(02-24-2023, 02:24 PM)Sehnsucht Wrote:
(02-24-2023, 02:17 PM)Tim Curtis Wrote: Hi,

This is just a heads up that in upcoming moOde 8.3.0 (new image only) SSH and the default passwords for the Pi userid and WiFi access point have been removed to strengthen security and better align with the Raspberry Pi Foundation security practices for RaspiOS. Let's face it SSH and default passwords are not such a good thing!

It's easy using the Raspberry Pi Imager app to enable SSH, create a password for the user Pi and optionally enter a WiFi SSID and password before writing the image. It's GUI based, available on Windows, Mac and Linux and does not involve any command line stuff :-) 

moOde startup will pick up the WiFi SSID and password (if any) from the Pi Imager generated wpa_supplicant file and automatically update network config. The Wifi password will also be used as the Access Point password.

-Tim
Good idea!

I've only ever created moOde sd-cards via dd or the chromebook recovery sd-writer thing.  Is it going to be possible to write the image that way then manually edit a file to alter the credentials?  If so, maybe that could be in the FAQ?

Also, are there any plans for the web-server to support https?  If you use a https-only extension you get nagged quite a bit!

1. Part of the 8.3.0 announcement and info on security will include a link to the official Raspberry Pi guide for using the Imager and for manually setting things up. It's well written and covers all the bases.
https://www.raspberrypi.com/news/raspber...pril-2022/

2. Most of the plumbing for running moOde in https-only mode has already been added but the feature is not enabled because to work seamlessly and not generate really scary Browser security warnings there needs to be a type of https certificate that can be issued by a Globally trusted CA but for hosts on a local network. This type of cert does not yet exist.

We could use what are called self-signed certificates but then we are back to really scary Browser security warnings and so worse that the almost innocuous warnings about un-secure http.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Website Find
Reply


Messages In This Thread
RE: Strengthening security for upcoming 8.3.0 - by Tim Curtis - 02-24-2023, 02:45 PM

Forum Jump: