PiAware 3.5.0 Install: Security Faux Pas

Guys,
Since going to a new P2B, new Flightaware dongle+ and new 3.5.0.image of PiAware my network has struggled and I got looking. Nothing conclusive found after a complete network shut-down and network isolation of everything and a slow re-start/re-connect but it’s currently going again.

Also found that SSH wasn’t enabled on my PiAware system so also investigated it. The “raspi-config” didn’t offer an option to control SSH - ON/OFF so assumed I needed to install it. However, the image did include it but it wasn’t active. This makes remote control of my new PiAware system impossible. Found remote useful on the earlier installation.

Was quite concerned to see that the default PiAware SSH configuration file allowed SSH Root login “without-password”. I’m still very much a novice on this but in these troubled times this has to be something of a MASSIVE FAUX PAS! All advice I’ve found sets any remote root login to “NO”. Can’t be sure that a rogue connection can’t be made via Dump1090.

Am I missing something or just paranoid?

There are some very nice tutorials in here, they were posted under “Bake a Pi” by user abcd567 from Canada. Just do a search using this tag.
In there you could find the solution for the SSH activation and all the steps to install piaware.

Regards

Alex

This is the standard Raspbian config.

You can enable ssh in the standard ways:

raspberrypi.org/documentati … ccess/ssh/
flightaware.com/adsb/piaware/build/optional (step 1)

The sshd config is the standard upstream one. I think you do not understand what “without-password” means. See the sshd_config manpage:



     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be “yes”, “prohibit-password”, “without-password”,
             “forced-commands-only”, or “no”.  The default is
             “prohibit-password”.

             If this option is set to “prohibit-password” or
             “without-password”, password and keyboard-interactive authentica‐
             tion are disabled for root.


i.e. you can’t log in as root using a password, but you can log in via other methods e.g. by configuring a public key. (I wouldn’t recommend that - log in as a regular user and “sudo”)

If you think the default sshd config should be different, please take this up with the Raspbian/Debian security teams - I am not going to second-guess them.