Vapid Labs
Larry W. Cashdollar
8/2/2012
See http://vapid.dhs.org/advisories/raspberrypi_image_security.html
Since a some RaspberryPi users maybe unaware of the security implications of sshd I thought I should just make a note of some issues.
RaspberryPi image Occidentalis v0.1
"Adafruit <3 Raspberry Pi - especially how easy it is to hack circuits using the electronics breakout pins! But sadly, the latest official distro "July 15 Raspbian Wheezy" did not have many of the delicious hackables built in. That's why we decided to roll our own distribution.
Our distro is based on "Wheezy" but comes with hardware SPI, I2C, one wire, and WiFi support for our wifi adapters. It also has some things to make overall hacking easier such sshd on startup (with key generation on first boot) and Bonjour (so you can simply ssh raspberrypi.local from any computer on the local network)"
Enables ssh by default but doesn't prompt user to change root & pi account passwords.
http://learn.adafruit.com/adafruit-raspberry-pi-educational-linux-distro/occidentalis-v0-dot-1
Default login : pi passwd : raspberry
sudo root
Arch Linux ARM
"Arch Linux ARM is based on Arch Linux, which aims for simplicity and full control to the end user. Note that this distribution may not be suitable for beginners."
Default login of root/root with sshd enabled, doesn't prompt to change password.
The problem occurs where they've set the root password to root, sshd_config was previously set to PermitEmptyPasswords no. Setting the password to root allows remote users to login as the root user. It would be best on all installations to set PermitRootLogin no.
If your going to enabled sshd by default please prompt the user to change the default password upon first boot.
If your going to connect these PIs to a network besure to use secure passwords.
Bootable Raspbian "Pisces" Image by Mike Thompson
"Please Note: The Raspberry Pi Foundation has produced and released their own recommended image of Raspbian. All users are encouraged to download the Foundation image as it is the best supported image within the Raspberry Pi Forums. This "official" Raspbian image can be downloaded directly from the Raspberry Pi Website Downloads Page.
Mike Thompson has produced a publicly available SD image of Raspbian that is bootable on Raspberry Pi hardware. This is called the "pisces" image as that is what Mike's Raspberry Pi system is named on his LAN."
sshd_config allows remote root login, logins are
root raspbian
raspbain raspbian