Add a new user and replace the default pi user [updated December 2021]

One of the most effortless way for an intruder to gain access to a system is "Password Guessing". As we can read from the NIST Special Publication 800-118:

Guessing attacks can be mitigated rather easily by using a combination of two methods. First, ensure that
passwords are sufficiently complex so that attackers cannot readily guess them. It is particularly important
to change all default OS and application passwords; lists of default accounts and passwords are widely
available to attackers.

For the Raspbian (official Raspberry PI OS), the default credentials (username: pi, password: raspberry) are the same since the launch of the first device in February of 2012 so if you plan to use a Raspberry PI for any of your projects, the first thing to do is change those credentials. For increased security is even better if you completely remove or disable the default pi user.

Please keep in mind that the following "variables" must be replaced by your own values before executing each command:

Variable Meaning
NEW_USER the new username, default is pi
NEW_USER_HOME name of the new user’s directory, default is pi
NEW GROUP NAME user group where the new user will belong, default is pi

To make any changes regarding the users on the Raspbian distribution you have to login as root. So the first step is to set a password for the root user:

sudo passwd root

Enable root login via ssh

In order to login using ssh as a root user you have first to enable it from the sshd configuration file (/etc/ssh/sshd_config). Use the following command:

sudo sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config

Restart ssh service, to reload the ssh configuration file with the new settings:

sudo /etc/init.d/ssh restart

Logout and Login using the root credentials (Username: root and password the one you set at the first step)

Disable autologin [updated December 2021]

In new versions of RaspiOS autologin is enabled by default. This cause process of PI user to start automatically. Disable autologin using:

sudo raspi-config nonint do_boot_behaviour B1

And then reboot your system to clean pi user’s processes.

sudo reboot

Login as root

Login using the root credentials (Username: root and password the one you set at the first step)

Rename pi user and home directory

usermod -md /home/NEW_USER_HOME_DIR -l NEW_USER pi

Rename pi group

groupmod -n NEW_GROUP_NAME pi

Move the cron jobs file [optional]

If you have set any cronjobs on the pi user you may want to move them to the new user:

mv /var/spool/cron/crontabs/pi /var/spool/cron/crontabs/NEW_USER HOME_DIR

You may also want to move your bash history to the new user so use the following command
Logout and login as the new user (password is still rasberry)

Set a new password for the new user

passwd

To avoid retyping the password any time you use the sudo command [optional] [updated December 2021]

Rename the file to indicate the new user

sudo mv /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_NEW_USER-nopasswd

Change the permissions for the new user

 echo -e "NEW_USER ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/010_NEW_USER-nopasswd

Disable root login via ssh

sudo sed -i 's/PermitRootLogin.*/#PermitRootLogin yes/g' /etc/ssh/sshd_config

Official Documentation

5 1 vote
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments