Change Hassio Base System / Console root Password

Hi,

I’m concern about a security issue with Hassio, access physically is really simple, root with no password, and then login command to get access to the linux system.

Just use docker commands to get a bash login to the homeassistant container and someone who has physical access to (or stole) my Raspberry could have access to my configuration files and even my secrets.yaml with all my passwords as plain text.

Trying to avoiding this just tried to use the passwd command to change root to any password (this is a little bit more secure), but I found that the root filesystem is mounted as read-only, I looking for a guide to make a simple root password change for console access, but nothing found.

Do you know how to change the console root password ? and even why there is no documentation about this or any security guidance throw physical access.

Thanks in advance.

3 Likes

Hi,

I encounter the same issue with this empty root password in the HassOS operating system…

In the online help, many times we can found that the username is root with no password but I can’t find any way to change this wheras we have to for security reasons !

I also tried the passwd command after login but I obtained the following error :

/bin/ash: passwd: not found

If you have solved your problem since january, I’m listening :wink:

Anyone a solution to change the password?

Hallo,

try this:

Connect via SSH to your RPi-instance…
Then Login with the user root without a password.

Type in this now:

 passwd

There is a SPACE before “passwd”

Follow the instructions for a new password.

Reboot and everything is fine.

Thanks you for your solution but, with or without space before the command, I have exactly the same result : passwd not found.

I am also looking for a way to change the HassOS console password for root. Is there really no way to do this? That would be a major security hole if so. Anyone could connect to physical console, type root, and they are in…

I have opened a feature request for this:

https://community.home-assistant.io/t/hassos-console-password/286654

Just commenting:
Attempting this on a VBox, 5.12 nearly fresh .iso (hassos_ova-5.12.vdi.xz):

The ’ passwd’ command (with trailing space) on the SSH prompt works, and prompts and accepts the new password (“password for root changed by root”)

However, after restart the of the machine (either through GUI, or ‘host restart’ from the console), the logon with root still does not require typing a password.

This is only accessible through physical access. There is no reason for adding a password.

If someone has physical access, there is no need to login as root at all. Removing the SD card or whatever media you are using is all that needs to be done.

Sorry, I simply cannot agree with that position. That’s like saying if you have physical access to a computer at home there is no point in having a password to protect someone from logging in. It’s also close to saying what’s the point of having locks on doors to your house if I can just pick the lock very easily or kick the door in.

There’s no guarantee that someone has access to the SD card because everybody’s installation is different as it may be mounted in a wall, in a closet, or in some other way where the keyboard is accessible but not access to get the SD card.

Not having a password on the root account is bad security, period.

3 Likes

It’s a headless embedded read-only OS with no users.

It’s still bad practice to not give a way to do this.

is it being solved? I have the same issue - can’t change root password!
OK figured it out, had to change password in the configuration of that plugin

It is not only accessible through physical access. I can connect to it with ssh with root and no password.

When you do that, you have added your public ssh key, and are using your private ssh key for the connection.

Yes, sorry. You are correct. I’m using a ssh key. Forgot about that :blush:

I totally agree, and want to take it a few steps further regarding security.

  1. Let users decide if they want to set up root credentials.
  2. After HA is installed it should have a self signed certificate. Entering root credentials via plain text http (also in a home network) is very bad practice. Don’t presume home networks are safe!
  3. Lastly. I would opt for an option to encrypt the filesystem. Flash cards are easily copied and you can read/write to them even if a root password is in place. Encrypted File systems are very difficult to hack without a key. The downside of this: Some loss in performance, and you need to physically enter a key during the boot up process.