One of the most effortless way for an intruder to gain access to a system is "Password Guessing". As we can read from the NIST Special Publication 800-118:
Guessing attacks can be mitigated rather easily by using a combination of two methods. First, ensure that
passwords are sufficiently complex so that attackers cannot readily guess them. It is particularly important
to change all default OS and application passwords; lists of default accounts and passwords are widely
available to attackers.
For the Raspbian (official Raspberry PI OS), the default credentials (username: pi, password: raspberry) are the same since the launch of the first device in February of 2012 so if you plan to use a Raspberry PI for any of your projects, the first thing to do is change those credentials. For increased security is even better if you completely remove or disable the default pi user.
Please keep in mind that the following "variables" must be replaced by your own values before executing each command:
Variable | Meaning |
---|---|
NEW_USER | the new username, default is pi |
NEW_USER_HOME | name of the new user’s directory, default is pi |
NEW GROUP NAME | user group where the new user will belong, default is pi |
To make any changes regarding the users on the Raspbian distribution you have to login as root. So the first step is to set a password for the root user:
sudo passwd root
Enable root login via ssh
In order to login using ssh as a root user you have first to enable it from the sshd configuration file (/etc/ssh/sshd_config). Use the following command:
sudo sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
Restart ssh service, to reload the ssh configuration file with the new settings:
sudo /etc/init.d/ssh restart
Logout and Login using the root credentials (Username: root and password the one you set at the first step)
Disable autologin [updated December 2021]
In new versions of RaspiOS autologin is enabled by default. This cause process of PI user to start automatically. Disable autologin using:
sudo raspi-config nonint do_boot_behaviour B1
And then reboot your system to clean pi user’s processes.
sudo reboot
Login as root
Login using the root credentials (Username: root and password the one you set at the first step)
Rename pi user and home directory
usermod -md /home/NEW_USER_HOME_DIR -l NEW_USER pi
Rename pi group
groupmod -n NEW_GROUP_NAME pi
Move the cron jobs file [optional]
If you have set any cronjobs on the pi user you may want to move them to the new user:
mv /var/spool/cron/crontabs/pi /var/spool/cron/crontabs/NEW_USER HOME_DIR
You may also want to move your bash history to the new user so use the following command
Logout and login as the new user (password is still rasberry)
Set a new password for the new user
passwd
To avoid retyping the password any time you use the sudo command [optional] [updated December 2021]
Rename the file to indicate the new user
sudo mv /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_NEW_USER-nopasswd
Change the permissions for the new user
echo -e "NEW_USER ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/010_NEW_USER-nopasswd
Disable root login via ssh
sudo sed -i 's/PermitRootLogin.*/#PermitRootLogin yes/g' /etc/ssh/sshd_config