WARNING: latest Raspberry Pi OS image (April 4th 2022)

The latest raspberry pi os image (april 4th 2022) comes without a default user/password.

This implies, for a headless installation, you need to create at least 2 files:

• ssh (no extension), no content, this to enable ssh.
• userconf.txt, content a single line of text, consisting of username:encrypted- password
• optional file (for wireless): wpa_supplicant.conf

you can read about it here, section "headless setup"

after trying this a few times, I created the file (single line,no additional linefeed), content:

pi:$6$/4.VdYgDm7RJ0qM1$FwXCeQgDKkqrOU3RIRuDSKpauAbBvP11msq9X58c8Que2l1Dwq3vdJMgiZlQSbEXGaY5esVHGBNbCxKLVNqZW1

to get the user "pi", password "raspberry" (as it used to be in earlier releases)

I tried the procedure twice with the above username/password, this to ensure I can reuse the same userconf.txt file for all installations in the future, with success.

What I don't understand is that the command echo "raspberry" | openssl passwd -6 -stdin (see the instruction in the above link), executed on my running pihole (image january 28th 2022) generates a different encrypted password every time I run the command.

Not really related to Pi-hole, so take it with a grain of salt:
Without having checked the exact algorithm (-6) used, I'd guess that the password is salted with some time-based randomness.
I'd stick with the random salt, but if you'd want the output to be reproducible, you may have to supply your own -salt <string>.

Add your own -salt if want the exact same hash being generated:

pi@ph5b:~ $ openssl passwd --help
Usage: passwd [options]
Valid options are:
 -help               Display this summary
 -in infile          Read passwords from file
 -noverify           Never verify when reading password from terminal
 -quiet              No warnings
 -table              Format output as table
 -reverse            Switch table columns
 -salt val           Use provided salt
 -stdin              Read passwords from stdin
 -6                  SHA512-based password algorithm
 -5                  SHA256-based password algorithm
 -apr1               MD5-based password algorithm, Apache variant
 -1                  MD5-based password algorithm
 -aixmd5             AIX MD5-based password algorithm
 -crypt              Standard Unix password algorithm (default)
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Without:

pi@ph5b:~ $ openssl passwd -6 -stdin <<< 'raspberry'
$6$OTqfoJTi5GIunRGY$lNS5kJHwvQKnkZQe7HzMmbVHcSVxGw1ffdcWjCi0fefMwApXkteSKRtchHaHnx86UbkvU52RVMQYT/54vF.8r/

pi@ph5b:~ $ openssl passwd -6 -stdin <<< 'raspberry'
$6$B54fxCEHsu2WB5l8$gI8MYctoxaQFKHw/MMhXgqShBzjHJUr7CoVTF9sO7p2g.CWHFzxdKLYKc3i9fiObEieHafElHbA2bfx0xgfSy1

With your own -salt:

pi@ph5b:~ $ openssl passwd -6 -salt '1234567890' -stdin <<< 'raspberry'
$6$1234567890$SayAY/Br/GDRWcYkdEnngrqUs9Olojn0VrbY79drLLdxhn..oDsHJTLJBiaJLzr6bPG37Utkw/ccgWirLuN7g/

pi@ph5b:~ $ openssl passwd -6 -salt '1234567890' -stdin <<< 'raspberry'
$6$1234567890$SayAY/Br/GDRWcYkdEnngrqUs9Olojn0VrbY79drLLdxhn..oDsHJTLJBiaJLzr6bPG37Utkw/ccgWirLuN7g/

You have always had to do the first and last steps with Raspbian or Raspberry Pi OS.

And the second step will automatically be done for you when using the Raspberry Pi Imager tool, something I recommend.

I always use the dd tool on another system to write to SD.
And mount the root boot partition to touch /boot/ssh and create wpa_sup if needed.
Not a biggy to do an extra:

sudo useradd -R /mnt/sd-card-root-partition-mount/ -m -p "$(openssl passwd -6 -stdin <<< 'raspberry')" pi

pi@ph5b:~ $ man useradd
[..]
       -R, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the
           configuration files from the CHROOT_DIR directory.
[..]
       -m, --create-home
           Create the user's home directory if it does not exist. The files
           and directories contained in the skeleton directory (which can be
           defined with the -k option) will be copied to the home directory.

           By default, if this option is not specified and CREATE_HOME is
           not enabled, no home directories are created.
[..]
       -p, --password PASSWORD
           The encrypted password, as returned by crypt(3). The default is
           to disable the password.

           Note: This option is not recommended because the password (or
           encrypted password) will be visible by users listing the
           processes.

           You should make sure the password respects the system's password
           policy.

I don't need to add wpa_sup and dd doesn't work from Windows. Besides that, the Raspberry Pi Imager tool can write to the SD-card from zipped images (backups).

So can dd if pipe | from unzip / gzip.
I prefer dd as i dont need any desktop and could even do it from my Linux NAS (that stores the zipped images).
But prefer my Debian laptop that has a reliable card reader.
For Windows, the Pi imager is a very nice tool.

The ssh file was always required for the SSH server to be installed. But previously it was usable OOTB with the pi user. Since OpenSSH does not allow root password logins by default, without a non-root login user you wouldn't be able to login via SSH. Thought I'm currently unsure whether there is a way to deploy an SSH public key for root with some file/config in /boot .

my understanding is that the raspberry pi imager has a setting icon where you can create this configuration.
the default images will add those files for you.
(at least a colleague told me when he needed some instructions for installing pi.hole)
I haven't done any new installations this month.

Nice, even a public key can be added via imager. Would be nice to have a way doing that just by placing/editing a file in boot filesystem to not depend on the imager or a GUI in general, but usually that is not an issue.

Isn't that what I did in the first post of this topic?

I use (since forever) SD card Formatter and WinDiskImager. After the write has completed, I simply drag/drop the required files on the SD card, eject, done.

You created the pi user with password, but not the public SSH authentication key (for passwordless and safer SSH authentication), or did I overlook something?

Nope, correct, haven't investigated that option, however,

I assume Raspberry Pi Imager (a windows app - mac version available) can only write to the fat32 boot partition. Assuming this is correct, it implies a file is added to the boot partition, containing this information, used to create the required files when the system boots for the first time. Simply find the name (documented?) of the file and add it (drag/drop) on the boot partition, before ejecting the SD card.

personally, I copy the required files in the /home/pi/.ssh folder and change the owner and permissions, using script, whenever performing a new install, after first boot.

I was wondering exactly that, since there are no native ext4 drivers for Windows and the 3rd party ones I know are either read-only or using them for writing often destroy the filesystem (when I tested last). A view into the FAT partition after using the imager should give clarification. SD cards here are currently on heavy use, but will do that when I find time.

Boot:

firstrun.sh

#!/bin/bash

set +e

CURRENT_HOSTNAME=`cat /etc/hostname | tr -d " \t\n\r"`
echo raspberrypi >/etc/hostname
sed -i "s/127.0.1.1.*$CURRENT_HOSTNAME/127.0.1.1\traspberrypi/g" /etc/hosts
FIRSTUSER=`getent passwd 1000 | cut -d: -f1`
FIRSTUSERHOME=`getent passwd 1000 | cut -d: -f6`
if [ -f /usr/lib/userconf-pi/userconf ]; then
   /usr/lib/userconf-pi/userconf 'dan' '$5$AbMr73TOTV$9.QYdcqu2fqdtmoFvgZ8ZxW71SVt2uyk6uXJ3txMNo1'
else
   echo "$FIRSTUSER:"'$5$AbMr73TOTV$9.QYdcqu2fqdtmoFvgZ8ZxW71SVt2uyk6uXJ3txMNo1' | chpasswd -e
   if [ "$FIRSTUSER" != "dan" ]; then
      usermod -l "dan" "$FIRSTUSER"
      usermod -m -d "/home/dan" "dan"
      groupmod -n "dan" "$FIRSTUSER"
      if grep -q "^autologin-user=" /etc/lightdm/lightdm.conf ; then
         sed /etc/lightdm/lightdm.conf -i -e "s/^autologin-user=.*/autologin-user=dan/"
      fi
      if [ -f /etc/systemd/system/getty@tty1.service.d/autologin.conf ]; then
         sed /etc/systemd/system/getty@tty1.service.d/autologin.conf -i -e "s/$FIRSTUSER/dan/"
      fi
      if [ -f /etc/sudoers.d/010_pi-nopasswd ]; then
         sed -i "s/^$FIRSTUSER /dan /" /etc/sudoers.d/010_pi-nopasswd
      fi
   fi
fi
systemctl enable ssh
rm -f /etc/localtime
echo "America/Los_Angeles" >/etc/timezone
dpkg-reconfigure -f noninteractive tzdata
cat >/etc/default/keyboard <<'KBEOF'
XKBMODEL="pc105"
XKBLAYOUT="us"
XKBVARIANT=""
XKBOPTIONS=""

KBEOF
dpkg-reconfigure -f noninteractive keyboard-configuration
rm -f /boot/firstrun.sh
sed -i 's| systemd.run.*||g' /boot/cmdline.txt
exit 0

cmdline.txt

console=serial0,115200 console=tty1 root=PARTUUID=0ee3e8a8-02 rootfstype=ext4 fsck.repair=yes rootwait quiet init=/usr/lib/raspi-config/init_resize.sh systemd.run=/boot/firstrun.sh systemd.run_success_action=reboot systemd.unit=kernel-command-line.target

Ah of course, with the custom first run script is can all be coded of course .

That was with password ssh. I'm running one with keys now...

firstrun.sh

#!/bin/bash

set +e

CURRENT_HOSTNAME=`cat /etc/hostname | tr -d " \t\n\r"`
echo raspberrypi >/etc/hostname
sed -i "s/127.0.1.1.*$CURRENT_HOSTNAME/127.0.1.1\traspberrypi/g" /etc/hosts
FIRSTUSER=`getent passwd 1000 | cut -d: -f1`
FIRSTUSERHOME=`getent passwd 1000 | cut -d: -f6`
install -o "$FIRSTUSER" -m 700 -d "$FIRSTUSERHOME/.ssh"
install -o "$FIRSTUSER" -m 600 <(printf "ecdsa-sha2-nistp256 <KEY>") "$FIRSTUSERHOME/.ssh/authorized_keys"
echo 'PasswordAuthentication no' >>/etc/ssh/sshd_config
if [ -f /usr/lib/userconf-pi/userconf ]; then
   /usr/lib/userconf-pi/userconf 'dan' '$5$AbMr73TOTV$9.QYdcqu2fqdtmoFvgZ8ZxW71SVt2uyk6uXJ3txMNo1'
else
   echo "$FIRSTUSER:"'$5$AbMr73TOTV$9.QYdcqu2fqdtmoFvgZ8ZxW71SVt2uyk6uXJ3txMNo1' | chpasswd -e
   if [ "$FIRSTUSER" != "dan" ]; then
      usermod -l "dan" "$FIRSTUSER"
      usermod -m -d "/home/dan" "dan"
      groupmod -n "dan" "$FIRSTUSER"
      if grep -q "^autologin-user=" /etc/lightdm/lightdm.conf ; then
         sed /etc/lightdm/lightdm.conf -i -e "s/^autologin-user=.*/autologin-user=dan/"
      fi
      if [ -f /etc/systemd/system/getty@tty1.service.d/autologin.conf ]; then
         sed /etc/systemd/system/getty@tty1.service.d/autologin.conf -i -e "s/$FIRSTUSER/dan/"
      fi
      if [ -f /etc/sudoers.d/010_pi-nopasswd ]; then
         sed -i "s/^$FIRSTUSER /dan /" /etc/sudoers.d/010_pi-nopasswd
      fi
   fi
fi
systemctl enable ssh
rm -f /etc/localtime
echo "America/Los_Angeles" >/etc/timezone
dpkg-reconfigure -f noninteractive tzdata
cat >/etc/default/keyboard <<'KBEOF'
XKBMODEL="pc105"
XKBLAYOUT="us"
XKBVARIANT=""
XKBOPTIONS=""

KBEOF
dpkg-reconfigure -f noninteractive keyboard-configuration
rm -f /boot/firstrun.sh
sed -i 's| systemd.run.*||g' /boot/cmdline.txt
exit 0

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.