Add a new user and replace the default pi user

One of the most effortless way for an intruder to gain access to a system is "Password Guessing". As we can read from the NIST Special Publication 800-118:

Guessing attacks can be mitigated rather easily by using a combination of two methods. First, ensure that
passwords are sufficiently complex so that attackers cannot readily guess them. It is particularly important
to change all default OS and application passwords; lists of default accounts and passwords are widely
available to attackers.

For the Raspbian (official Raspberry PI OS), the default credentials (username: pi, password: raspberry) are the same since the launch of the first device in February of 2012 so if you plan to use a Raspberry PI for any of your projects, the first thing to do is change those credentials. For increased security is even better if you completely remove or disable the default pi user.

Please keep in mind that the following "variables" must be replaced by your own values before executing each command:

Variable Meaning
NEW_USER the new username, default is pi
NEW_USER_HOME name of the new user’s directory, default is pi
NEW GROUP NAME user group where the new user will belong, default is pi

To make any changes regarding the users on the Raspbian distribution you have to login as root. So the first step is to set a password for the root user:

sudo passwd root

Enable root login via ssh

In order to login using ssh as a root user you have first to enable it from the sshd configuration file (/etc/ssh/sshd_config). Use the following command:

sudo sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config

Restart ssh service, to reload the ssh configuration file with the new settings:

sudo /etc/init.d/ssh restart

Logout and Login using the root credentials (Username: root and password the one you set at the first step)

Rename pi user and home directory

usermod -md /home/NEW_USER_HOME_DIR -l NEW_USER pi

Rename pi group

groupmod -n NEW_GROUP_NAME pi

Move the cron jobs file [optional]

If you have set any cronjobs on the pi user you may want to move them to the new user:

mv /var/spool/cron/crontabs/pi /var/spool/cron/crontabs/NEW_USER HOME_DIR

You may also want to move your bash history to the new user so use the following command
Logout and login as the new user (password is still rasberry)

Set a new password for the new user

passwd

To avoid retyping the password any time you use the sudo command [optional]

sudo visudo

and at the last line add

NEW_USER ALL=NOPASSWD:ALL

Disable root login via ssh

sudo sed -i 's/PermitRootLogin.*/#PermitRootLogin yes/g' /etc/ssh/sshd_config

Official Documentation

Leave a Reply