I was very surprised to learn about the default dietpi user.
This seems like a security vulnerability. Anybody using DietPi on a device that is accessible via ssh is opening themselves up to a “default login” attack vector, and many users are probably not aware this account exists by default since it is not mentioned much.
I think by default, the dietpi account should be disabled until such time as it is actually used by installation “quick start” guides/tutorials instead of root.
In the mean time, I’d recommend that everybody using DietPi run:
passwd --delete dietpi
to prevent the dietpi account from being used unless you’ve explicitly configured an authorized_keys file for SSH.
You are right. Users should be aware of the “dietpi” user. On fresh DietPi images a user prompt already asks to change the password, but I made some rework about how we use and handle passwords: https://github.com/Fourdee/DietPi/pull/1825
On v6.9 update (and fresh installs) all users will face two prompts:
one to set the initial password for new software installations, which is saved as plain text within dietpi.txt and overwrites the default “dietpi”
one to set the login passwords for “root” and “dietpi”, which should be handled independently and never saved as plain text anywhere
The prompts also include the above explanation, but I think I have to tune the wording a bid .
It’s interesting that you say “On fresh DietPi images a user prompt already asks to change the password”… I just recently found DietPi while searching for a lighter-weight SBC OS, and since finding it, have flashed the current builds for “fresh installs” on both a Raspberry Pi and an Odroid C2 and don’t recall being prompted for any password changes.
In any case, it’s great that v6.9 will improve this situation. Thanks again for quick response!
How can the same user, “dietpi” have two passwords, one stored in the textfile, and another stored normally in the shadow file? I was afraid t o change the dietpi user password, in case it would break some dietpi script. Doesn’t really matter in my case since I only allow public key logins, and only for my user.
I agree the wording needs to be tuned
The login password for users root and dietpi should not break any scripts, thus can and should be changed. Only one single software title needs root password to stay at “dietpi” (can’t remember right now which one), since it is hard coded into the binary. We will see if using another library allows to change it afterwards, otherwise give clear hint that SSH for this device then must not be opened to the web.
As said, the password in dietpi.txt is only used as default for all new software installations which require e.g. web page or database login etc, but can and should changed of course after installation and initial login. This is just to make initial setup easier instead of remembering or look up different default passwords for all software titles or the need to have those installations interactive in some cases.