Remove SSH warning about default password

Question

I'm running Jessie Pixel on my RP2 and every time I log in via SSH I get the message:

SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

Not even via SSH. When I log in to the GUI I get a warning box with the same error. I don't want to change the default password, even if I know it is a security risk. How can I prevent the warning message from appearing?

Please accept one of the answers that solve your problem. This will finish your question and it will not pop up again year by year. — Ingo, Nov 04 '19 at 16:51

score 15 · Answer 1 · edited Jun 16 '20 at 10:47

Method 1 (still recommended, even if you don't like it):

Change the password for the user pi

Method 2:

Remove the file /etc/profile.d/sshpasswd.sh (sshpwd.sh for stretch)

It contains the code checking for the password and displaying the message (see this)

Notice:

Not even via SSH. When I log in to the GUI I get a warning box with the same error.

This message is meant to encourage you to take steps to protect your device from bots on the internet which constantly scan IP addresses trying the default user: pi password: raspberry on SSH port.

Regardless of what method you use to reach your system, the message warns you (it should be more explicit, imho) that these bots can log in to your system using the well-known default credentials and take control of your device.

Best practice:

Regardless of the message you should never^* leave password-based authentication on SSH. Check the advice from Raspberry.SE moderator on how to improve the SSH Security and Usability: Part 1 and Part 2.

^* and if for some obscure reason you think you must, you should limit it to a specific IP address and user in SSH daemon config.

sshpasswd.sh appears to now be sshpwd.sh – Jim Fred Mar 12 '17 at 00:43 — Jim Fred, Mar 12 '17 at 00:43

score 5 · Answer 2 · answered Nov 04 '19 at 13:52

5

You can remove /etc/profile.d/sshpwd.sh without breaking the integrity of the system by uninstalling the package it comes from:

sudo apt purge libpam-chksshpwd

This package has no purpose other than displaying that warning, as shown by apt-cache show libpam-chksshpwd:

Description: PAM module to enable SSH password checking support

This package includes libpam_chkpasswd, a PAM module that checks to
see if the default password has been changed when SSH is enabled.

answered Nov 04 '19 at 13:52

Edgar Bonet

235
2
6

On Raspbian Jessie, trying to remove libpam-chksshpwd results in an error: Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: libpam-chksshpwd* pprompt* 0 upgraded, 0 newly installed, 2 to remove and 294 not upgraded. After this operation, 89.1 kB disk space will be freed. Do you want to continue? [Y/n] Y dpkg: unrecoverable fatal error, aborting: files list file – Setaa May 29 '20 at 17:23
Confirmed that this worked fine on Raspbian 10. – slm Jan 19 '22 at 03:38

score -1 · Answer 3 · edited Feb 05 '17 at 21:59

-1

try this command

sudo sed -i 's/^\tcheck_hash/#\tcheck_hash\necho "";/' /etc/profile.d/sshpasswd.sh || fail

edited Feb 05 '17 at 21:59

techraf

4,319
10
31
42

answered Feb 05 '17 at 19:37

Stoani

1

Remove SSH warning about default password

3 Answers3