IceWhaleTech
[Feedback] CasaOS login == SSH credentials
Description
By default, SSH on the ZimaBoard under CasaOS is enabled and 'open' by the default username casaos and password casaos.
This, even though you setup a username and password during the CasaOS installation.
My feedback would be either of the two: (1) Disable SSH by default and build in a feature to enable it through the web portal. (2) Match the username and password you create when logging in to CasaOS with SSH.
Having a default username + password open without the user actually knowing is bad practice IMO and I think this can be improved easily. Thank you!
Additional Information
No response
Description
By default, SSH on the ZimaBoard under CasaOS is enabled and 'open' by the default username casaos and password casaos.
This, even though you setup a username and password during the CasaOS installation.
My feedback would be either of the two: (1) Disable SSH by default and build in a feature to enable it through the web portal. (2) Match the username and password you create when logging in to CasaOS with SSH.
Having a default username + password open without the user actually knowing is bad practice IMO and I think this can be improved easily. Thank you!
Additional Information
No response
Thanks for the heads up! I was trying to find the option to turn on / enable ssh because my creds weren't working.
Your suggestion is very good and I think we should address this issue in a future pre-installed version of Zimaboard.
Your suggestion is very good and I think we should address this issue in a future pre-installed version of Zimaboard.
While it is mentioned in the quick setup guide. It only says: "Default account for Pre-installed Apps". It feels intuitive to have the username/password of the system be the same as the account you create. It's at least more secure than having default root login publicly known. Since I guess most people won't bother changing the system user, this should be part of the setup wizard, especially for less technical creators (Zimaboard).
The root user has a casaos password too (Zimaboard with pre-installed 0.4.1).
As a short fix, after switching on Zimaboard, you need to change 2 passwords manually.
ssh [email protected]
sudo passwd root
sudo passwd casaos
The
rootuser has acasaospassword too (Zimaboard with pre-installed 0.4.1). As a short fix, after switching on Zimaboard, you need to change 2 passwords manually.ssh [email protected] sudo passwd root sudo passwd casaos
Wow. This is beyond just bad practice and bordering on malicious incompetence! I am taking things for a test drive and wound up here while trying to figure out how to access via SSH. Honestly I didn't believe this was actually true until I tried it myself on a newly acquired Zimaboard.
Honestly this all but shatters my confidence in running CasaOS in my network. Even for an alpha version of a product this is unforgivably ignorant! The fact that it still hasn't changed 7 months later is telling too!
In my experience when you build a web interface that interacts with the underlying (linux) OS, it is common practice to use the Linux credentials. Think about Synology DSM using the same username and password through their web portal as through the underlying system. Hence when setting up an account, that should also be your local user in Linux.
So the fact that there is a web portal apparently storing credentials in a database and interacting with the underlaying Linux (probably as root?) leaving the SSH open and exposed as well, it's just not what I would go for.
I abandoned Casaos straight away and use(d) other OSs on my Zimaboard. Indeed, the fact that it hasn't been edited/altered / fixed since my OP says enough.
In general, Casaos is not more than docker on (some) steroids. All the packages are basically docker containers. To me, that has no added value over the use of docker in a Debian / Ubuntu environment. Not saying this is btw the case for others but I'd probably suggest using Debian > Docker > Portainer rather than Casaos.
Pretty much a backdoor giving full access to all usder data. casaos is completely insecure by default, with no indication of being so to normal users. The fact that I guessed the user/password via ssh first try and only by googling it found this bug report is telling evertyhing.
