User accounts on L5

Even so, if someone else has my cell phone, then I could not be contacted while I’m out, and could not make calls myself.
I’ve loaned my phone for a single call (while I was still present), but didn’t need a separate account for that person.
I do see how separate accounts can be useful for some, though. Especially for protecting the computer functions/data. (But it’s not a feature of most mobile phones, as far as I know.)

Perhaps better defaults can be found also.
Right now it is: purism @ pureos - username and machine name. (You know… why is a company name my username. I thought I own the phone… [joke])

So you’ll most probably change both of them.

I think user @ librem5 is a better default.

1 Like

You are right. But this can be easily changed by modifying the PS1 shell variable.

That only changes the prompt . Pretty useless and confusing!. The user and host name are used in many other places.

1 Like

I think this is a very important point. Even if you say that for SSH for example instead of purism you would set up a new user on your phone and blocking purism with the number only password from logging in via ssh it’s still more insecure to bugs with those restrictions. Just look at the sudo -u right now :wink:

In my limited understand of my distros I would change the device name in /etc/hostname.

And I would also like to be able to set and use the linux user on the phone and I like that purism used it instead of the android way simply putting the user system on top. Just imagine the possibilities for screen sharing via ssh, ldap users (especially interesting maybe for companies), …

The machine name can be set at Settings | Details | About | Device Name. I did that at one point, & was seeing some strange behavior that may or may not have been related, so YMMV. For now, I’m happy enough with merely setting the machine name to “librem5” in my DHCP software so that I can ssh purism@librem5 from other machines without changing the actual hostname.

1 Like

I can see a few options available to better secure the setup as is:

  1. Create a separate user other than purism with a stronger password, and set DenyUsers purism in the /etc/ssh/sshd_config so that no one is allowed to login as purism via ssh.
  2. Setup public key auth for the purism account, and disable password auth in the /etc/ssh/sshd_config ( set PasswordAuthentication no in there) (requires the system you want to ssh into it from to have the private key file) - best security option
  3. Have a crazy long numeric password (yeah I know, not the best).
1 Like

For the sake of security, this is what you should be doing anyway with an always connected computer with possibly no firewall in-between.

You’re right, it is the most secure solution, and likely the best. I’ll put a note on that option.

However, as with all things I don’t know the use cases of all who might try this, and thus it’s best to present multiple options so they can decide what works best.

Unless you run Jolla’s Sailfish OS :slight_smile:

I gave up on Jolla.
Plus, last time I checked, the Sailfish image isn’t available to people in North America.

2 Likes

I don’t blame you.

Jolla is struggling to move their platform forward. They went the route of creating their own UI toolkit etc. and having apps specific to their OS, which is a huge challenge for such a small team. I think Purism’s strategy - staying close to “standard” Debian/Gnome and to encourage making existing apps adaptive - means lower maintenance long-term, effectively making long-term survival of the platform more likely.

And the non-availability in North America and other markets is really odd, they have said “we’re working on it” for ages. There must be an issue beyond getting a payments processor. Licences maybe, I don’t know.

Having said that, I’m super happy Jolla are still around after all these years and I really like how beautiful and smooth Sailfish is to use. The Librem 5 has a long way to go to get even close.

I reported there and @guido.gunther moved it to a more proper place, OS-issues: https://source.puri.sm/Librem5/OS-issues/-/issues/181
So from the discussion there it seems that this is related to whether lightdm is running or not (instead of the default).
https://source.puri.sm/Librem5/OS-issues/-/issues/148

I hope llightdm jumps-in at some point.

2 Likes

That’s what I have done.

That doesn’t address the underlying bigger questions: want full multi-user environment / don’t want hard-coded default username.

I have changed the default host name. I did that from the command line though.

  1. For the actual unlock screen some people might not want password unlock at all (whether numeric or a larger set of permitted characters) i.e. want something that is more compatible with use in public.

You can also disable / enable the SSH server via Settings / Sharing / Remote Login. So if it’s something only occasionally used then leave it disabled and only enable it when needed.

1 Like

Besides being a “Freedom Phone” Librem 5 is touted a “Pocket Computer”. With those tag lines, is there a reason on super tight control over the user profile creation?

I am waiting for my Librem 5 to arrive. So, am experimenting with the ISO image in VirtualBox. Although user creation is enabled using the adduser command, the default login user is still set to purism. Login to the new user (or new profile) does not seem to work. The initial screen does show multiple user logins but just defaults to the purism user.

@dos, is there a reason for this behavior?

2 Likes

We don’t use a display manager right now and start the session directly by a phosh.service unit. We want to use one in the future since it will be also needed for other stuff like keyring unlock, but that’s simply not in place yet.

See also:

4 Likes

A script for changing username was mentioned here:

Here is another related issue:

1 Like

or reflash and start over from scratch > https://puri.sm/posts/reflashing-the-librem-5/