Change default shell admin account (ubuntu/ubuntu)

[oparoz]

It would be best for a unique password to be generated for shell access and presented to users the first time they boot the device, like it's currently done when using the ownCloud VM

[kyrofa]

Why add the extra step of needing to change one's password once logged in?

[oparoz]

I don't understand. Users don't need to change that password. What I'd like to try to avoid is for all shipped products to have a non-unique default password, letting anyone on the same network administrate the box unless the owner cares to change it.

[kyrofa]

Oh I thought you were referring to the ownCloud password-- ignore me. And I completely agree.

[oparoz]

It's my fault, the title is was misleading

[oparoz]

And @kyrofa , I opened it here because I don't know if that's something which should be implemented in the default snap or not.

[kyrofa]

@oparoz not something that can be done in the snap, actually. This is more of an image thing. How do we generate an image where not everyone gets the same password? Honestly I'd be more in favor of disabling SSH altogether and letting them login locally to enable it. Then they can change their own password.

[oparoz]

Let's ask @enoch85 about the how and @jospoortvliet about disabling SSH. It becomes messy when you need to plug in a keyboard and monitor into a "network enabled" device, but we only expect devs and advanced users to use SSH.

[kyrofa]

we only expect devs and advanced users to use SSH.

My thinking exactly. Why expand the attack surface on a consumer device?

[enoch85]

The soulution is here: https://github.com/enoch85/ownCloud-VM/blob/master/production/owncloud_install_production.sh#L12-L13

And here is another soultion: https://github.com/owncloud/vm/blob/master/vagrant/oc8ce/change_pass_admin.sh

But I can imagine that you already knew about that @kyrofa ?

[kyrofa]

Ah, rc.local. Yeah, that won't work here.

[WaaromZoMoeilijk]

Ah, rc.local. Yeah, that won't work here.

/home/user/.bash_profile perhaps? When logging in prompt it, let itself remove from the file afterwards? Or is that again not possible with the snap permission system?

[enoch85]

@kyrofa

1. Root user has a strong pre-generated pass that are stored as a file inside the owncloud dir with www-data permissions so that it's accessible inside ownCloud (maybe not so safe, but an option)
2. Same goes for the regular user (or make a simple change_pass.sh script for the regular user that can be run from SHELL.

(I'm tired now, but something like that)

[jospoortvliet]

The issue is that the change can't happen in the ownCloud snap as that can't change system-wide stuff ;-)

Though one... Perhaps defer this for now? It's useful as long as this image is in beta - increases the ease of hacking by their owners!

[oparoz]

Moved over to https://github.com/owncloud/pi-image/issues/29