Security update

[Telraam]

After analysis and extensive testing of the changes, we have made the following modifications to the code and pushed this update to all connected devices in the field. The update includes:

• Removing SMB from the pi
• Changing the password for user pi to a random one from an openssl command (so every pi will have a different, random password)
• Modifying /etc/rc.local so the password for the user pi is changed at every startup.
• Disabling and stopping the ssh deamon

A random password is now generated at every boot. For changing the password, the next command is used:
/bin/echo "pi:$(sudo /usr/bin/openssl rand -base64 12 2>&1)" | sudo /usr/sbin/chpasswd

The new passwords will be 12 bytes pseudo-random, base64 encoded strings.
The new versions of the scripts and image are available.

The consequence of these adaptations, is that active Telraam devices are no longer accessible. If you do want to be able to connect to your device directly, you will need another image with user access. We trust expert users understand the risks. We've made a second image that allows user access. Dev image is available for download at https://telraam-api.net/telraam-dev-image.7z
See https://github.com/Telraam/Telraam-RPi/blob/master/telraam-dev-image for more info.

Happy to receive your feedback!

[mrtnrey]

Many thanks to the Telraam team to have still the possibility to access your own telraam device. Much appreciated!
(I use the access to tweak my telraam to connect to my LAN instead of WLAN, with a USB-to-RJ45 dongle).

[hgcvm]

It is not clear to me how you keep SSH access with the dev image. Both when the pi is in AP mode or when it's connected to the home wifi, SSH access is not possible (at least not on standard port 22). Port seems not open, I guess the service is not running. Anybody had any luck with this?

[Telraam]

That is correct, by default, the SSH service is not running.
You have to enable it.

Take a look at https://github.com/Telraam/Telraam-RPi/blob/master/telraam-dev-image
I updated the information in that file.

[ThomasDesloovere]

How can i login then if it is a random password?

[Telraam]

Hi Thomas,

At first startup, the dev image has pi:pi credentials, you can use those credentials to log in the first time and create your own user.

[ThomasDesloovere]

But it isn't the first time i boot my pi. Thomas Op ma 4 mei 2020 om 10:56 schreef Transport & Mobility Leuven - Telraam < [email protected]>:

…

Hi Thomas, At first startup, the dev image has pi:pi credentials, you can use those credentials to log in the first time and create your own user. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#16 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMBHX6OHJQYFESZ2NDIGKNDRPZ7NTANCNFSM4KXBYYBQ> .

[Telraam]

Then you would have to flash the dev image in order to be able to log in.
(you would also need to reconnect to the TELRAAM hotspot and re-enter your wifi credentials)

[Telraam]

We had an issue where the wifi password was shown on the TELRAAM hotspot webpage.
We fixed this and made new software images.

You can find the new images at:
https://telraam-api.net/telraam-sd-image.zip
https://telraam-api.net/telraam-dev-image.zip