Security issue: browser UI new-user wizard does not change default SSH username/password #216
Replies: 2 comments
-
As a novice linux user it is difficult enough to change the default username following a tutorial with out a monitor to plug in. I cannot kill the sshd daemon while logged in over ssh to change the name. |
Beta Was this translation helpful? Give feedback.
-
casaos does not seem have much thought around security. disabling ssh is not a good idea as it is the only way to get a secure type of connection to your device. There are various security needs that need to be addressed. ideally you do this type of thing during the initial installation to protect the username and password used during initial setup. The work around using ssh will look like this. First create a ssh tunnel. ssh -D 9090 casaos@casaos.local You would then need to set up your browser to use a socks proxy. Change your casaos password ASAP. Ideally you do this before any user creation as using http without protection allows anyone to see your password over the network. for example: We can then securely connect to the webUI though your ssh tunnel via socks. You then just connect via IP. you can use "ping casaos.local" to get the IP to connect. Keep in mind, if you connect to your casaos at all over your wireless network anyone with access to your network can see your passwords over the network in clear text. Wireless packets can also be sniffed and if using http or without encryption passwords can be easily captured. |
Beta Was this translation helpful? Give feedback.
-
Describe the bug
CasaOS, as supplied on the ZimaBoards, has a security issue: it ships with a default username and password of "casaos" and "casaos" with full root access and SSH enabled by default. Anyone knowing these defaults can SSH in to the device and perform any action they desire.
When visiting the CasaOS browser UI, as in the bundled quick-start guide documentation, you're prompted to create a new username and password; it is not made clear that doing so does not affect any part of the system other than the browser UI. Creating a new user in the browser does not create it in the underlying Debian operating system - and neither does it deactivate the default casaos account.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
CasaOS authenticates you using the new credentials you created.
Actual behavior
CasaOS rejects your login, as the user you created only exists in the browser UI - not the underlying operating system.
Further steps
Try to SSH into casaos.local with the casaos/casaos credentials after creating the new user: it'll work fine, because creating the new user does not deactivate the default user.
Additional context
I appreciate the need for a default username and password, but CasaOS is designed for ease-of-use: anyone who ignores SSH and heads straight for the browser will be entirely unaware that there's a way for anyone on the same network - or a remote network, if they start forwarding ports willy-nilly - to take complete control of the device.
My suggested workaround would be to disable SSH by default and have users who want it manually enable it via the web browser. Further, creating a new account in the browser UI should create the same account on the underlying system. When a new user is created, the casaos/casaos account should be deactivated.
Beta Was this translation helpful? Give feedback.
All reactions