They definitely should follow the suit. Especially since Purism does not really control the username on L5. It has just crept in during development and will require work to be made configurable by a user wthout breaking several things at least.
More important for the security of your device is that you only allow SSH login with RSA private/public key. In this case brute force will not help much.
I believe itâs something on our to-do list, but a lower priority than other issues since L5 doesnât ship with SSH enabled by default, so the security risk of having a known username (with an unknown password, unlike the default Pi) is minimal.
Unknown? It was the default two weeks ago, when I got it and no prompt to warn or change disc encryption or password (which both would be a nice addition after setting language etc. at first login).
Oh for some reason I thought the first boot wizard prompted for a user password like it does on the desktop version (you have to realize itâs been a long time now since Iâve been through the first boot wizard on my Librem 5).
Another thing, on selecting the timezone. It should be part of the boot time setup so manual change is not required. That too is a long pending item from the to-do list.
I think itâs inflammatory language designed to elicit an emotional response
We obviously do not want to âcontrolâ the username, but the default username is simply an artifact of how we originally set things up. Iâm sure weâd welcome any MRs that remove those dependencies on that username if someone wants to work on it. Otherwise itâs something Iâm sure we will get to at some point, but other things are taking priority.
How about a quick refresher to re-analyze and re-invent: the intro and setup could use some love - specially if more and more less linux savvy users that have less time to learn stuff and study the forum? A walkthrough on how to harden and get most security benefits out of L5 might be useful to all. Something more to the todo-pileâŚ
Currently, we run the first-time setup on an already fully booted and logged in system. Eventually we want to move into using an âinstallerâ like approach that other distros are using that could do things like reencrypt the rootfs and set up user accounts before the actual system is fully booted, but weâre not there yet.
BTW. I donât think there should be any problems with having the name changed. What may be problematic is renaming an already existing user while retaining its home dir intact, but if youâre willing to start fresh it should all work (if it doesnât, itâs worth a bug report :))
I am willing to start fresh. I flashed my Librem 5 with noluks option. The maximum disk size is only 3 GB by default. I had to resize it. Next, I used the usermod command to rename it. But it does not work as expected. As you mentioned the home directory name does not change.
Can you share the steps? I will see if it works otherwise will raise a bug.
It is well-known, by Purism and (some) customers, that it does not work. It has been discussed in this forum before.
Purism may get to it eventually but it is âlower priorityâ, as stated in their first response above.
If a customer is not using SSH login via asymmetric keys only then ⌠one âworkaroundâ is to configure SSH to allow login only from selected users and by implication disallow login from purism and by implication create the user that you would actually like to have remote access under - so that it wonât make any difference whether the user purism exists or not from that perspective.
There are lots of reasons why making this change retrospectively may be problematic. So it is likely that if and when Purism does make such a change, you will either have to reflash (potentially a large hassle) or you just bodgy in the selected needed changes (which in theory you can do today, but I wouldnât recommend it unless you know how to recover from software breakage).
I actually agree with you. There should not have been a default username and, if there is one, it is not even logical that it is purism but on a scale of things going wrong in the world today even for me it is âlower priorityâ.
I think that is true of the Pi as well.
The real question (on Pi or Librem 5) is whether the installer / first boot process forces the user to change the default password. I believe that on Librem 5 the answer is ânoâ and this should be looked at, particularly as the number of phones in unsophisticated hands increases. The downside is the support cost of people who immediately lock themselves out by forgetting the password that they just set. So there needs to be a documented recovery process e.g. using Jumpdrive.
Youâd want to change all instances of âlokiâ to what ever username you want as once the service is enabled, this will change the default username to âlokiâ, change the home directory and copy the current purism home directory to /home/loki and also rename the purism user group to âlokiâ on the next boot.
I havenât noticed any ill effects from changing this, however, I didnât use the phone very much. I would like to think that anything requiring the default user would reference the user by UID rather than name?