Create a dedicated user for SSH access
If have gone about creating a dedicated user account for ssh access so we can get rid of the barn door opened by the volumio user and his unchangeable default password. As ssh is disabled by default, we should not risk any problems when taking it away from the volumio user. So the process is pretty straightforward. We’ re going to create a user with the same privileges as the volumio user, and then disable ssh login for user volumio:
1: Create an new user (e.g. myuser)
sudo adduser myuser
You will be asked to enter a new password. This is where you can set a strong, secure password of your own! You can ignore the rest of the questions asking for finger data (but you can of course supply meaningful answers if you wish!).
- Assign all groups the volumio user belongs to. In addition, add your user to the group sudo so he/she can perform privileged operations:
sudo usermod -a -G volumio,adm,dialout,cdrom,floppy,audio,dip,video,plugdev,netdev,input,i2c,spi,gpio myuser
sudo usermod -a -G sudo myuser
- At this point, it is time to test if everything works. Open a second connection to your Volumio system, but this time, log in with the new user. When logged in, type
sudo ls
to test if sudo works, too. If all is fine and you don’t get any error messages, you’re good to go for the last step:
- Restrict ssh access to your newly created user. This takes ssh access away from all users except those explicitly listed:
sudo vi /etc/ssh/sshd_config
Go to the bottom of the file and add the line
AllowUsers myuser
Attention: make sure not to mistype your user name here, or you will effectively have locked you out of your system, at least ssh-wise (aka as shooting oneself in the foot)! Save, exit and reboot - done! If now you try to log in as user volumio, you will receive an error message ‘Permission denied’. So now you can leave ssh enabled all the time without fear of unauthorized intruders.
Notes:
- Resetting Volumio to factory defaults will restore the default password for the volumio user and disable ssh. I don’t know if it also restores the sshd_config file, so I wouldn’t rely on it.
- These instructions have been tested and found to work with Volumio 2.411. For other versions, at least check what groups the volumio user belongs to (type groups volumio) and adjust the usermod command in step 2 if necessary.
- You can always revert the changes by removing the line containing AllowUsers from /etc/ssh/sshd_config if you so desire.
- Do not be tempted to enable root ssh access in /etc/ssh/sshd_config. It is disabled by default for a good reason: security.
Cheers,
Victor