Change SSH password a must?

HiFiGuy528

macrumors 68000
Original poster
Jul 24, 2008
1,850
39
All it installed are PdaNet & My3G on my iPhone 4. Did not install any SSH apps. Am I open to the public just by using JailbreakMe.com?
 

maturola

macrumors 68040
Oct 29, 2007
3,863
1
Atlanta, GA
If you are running SSH, them yes it is a must. But based on what you listed, you did not installed OpenSSH.

having the password to default is like having a Open wifi network, or leaving the door of your house unlock. You may be lucky and nothing will happend, but someone can take advantage of that and screw your device.

No long ago there was a worm (Ikee) that scam the network for jailbroken devices with default SSH password and it was changing the background (nothing real bad, since he actually could have do much much worst) but he was trying to prove a point.
 

dhlizard

macrumors G4
Mar 16, 2009
10,214
119
The Jailbreak Community
All it installed are PdaNet & My3G on my iPhone 4. Did not install any SSH apps. Am I open to the public just by using JailbreakMe.com?
There is a big exploit in iOS 4 firmware which jailbreak me uses for jailbreak. If you are on iOS 4 you have it.

Sounds like you are confusing this with OpenSSH password issues. If you have OpenSSH installed on your phone, it is a must that you change both the root and mobile password.
 

-MRB

macrumors 6502
Jul 1, 2010
414
0
UK
I tried doing this the other day.


Mobile Terminal crashes upon opening.

And when i try to SSH on my computer, and run the passwd command, it times out?
 

spamdumpster

macrumors 6502a
Jan 22, 2008
574
0
The version of MobileTerminal in Cydia won't work on iOS 4. Google MobileTerminal 426, and you'll find one that does.
 

ulbador

macrumors 68000
Feb 11, 2010
1,554
0
I tried doing this the other day.


Mobile Terminal crashes upon opening.

And when i try to SSH on my computer, and run the passwd command, it times out?
Generally the time out occurs because your phone goes to sleep. You have to keep the screen awake and alive long enough to change your passwd.
 

Bakakage

macrumors 6502
Jun 18, 2009
443
0
Here is a super easy way to change your ssh password. Install rock from Cydia and it will detect your default alpine password and tell you if you want to change your password when you open rock. Just change it from there and then unistall it. The password will still be changed when you uninstall it.
 

mlts22

macrumors 6502a
Oct 28, 2008
538
32
Here is what I did to make sure the SSH password is locked down:

1: Download and install the Mobile Terminal 426 Debian package.
2: Install sudo via Cydia, and add

ALL = (ALL) NOPASSWD: ALL

via the visudo command. This will you to bypass entering the root password by using sudo -i.

3: Change both the mobile user and the root user's passwords. I'd say minimum, 20 characters, realistically 32-48 characters. Just make sure you have both copied down somewhere to be safe.

4: Set /etc/sshd/sshd_config to disallow ssh in as root, disallow ssh in with any password (public key authentication only), and disable it in SBSettings when I can. This should keep almost anyone out, unless there is a zero-day hole in ssh. Maybe changing the port would help, but a decent blackhat likely has run nmap on the box and found where it likely moved to, so I didn't bother.

With these steps, the sshd is still usable for sftp and other items, but using RSA keys, so an attacker is unable to do a brute force attack on the passwords.
 

HiFiGuy528

macrumors 68000
Original poster
Jul 24, 2008
1,850
39
I am not worried about the PDF hole in Safari.

So since I did NOT install OpenSSH or Terminal app, I don't have to worry about leaving my door unlocked right?
 

qckslvrsiete

macrumors regular
Jun 22, 2010
230
0
Here is what I did to make sure the SSH password is locked down:

1: Download and install the Mobile Terminal 426 Debian package.
2: Install sudo via Cydia, and add

ALL = (ALL) NOPASSWD: ALL

via the visudo command. This will you to bypass entering the root password by using sudo -i.

3: Change both the mobile user and the root user's passwords. I'd say minimum, 20 characters, realistically 32-48 characters. Just make sure you have both copied down somewhere to be safe.

4: Set /etc/sshd/sshd_config to disallow ssh in as root, disallow ssh in with any password (public key authentication only), and disable it in SBSettings when I can. This should keep almost anyone out, unless there is a zero-day hole in ssh. Maybe changing the port would help, but a decent blackhat likely has run nmap on the box and found where it likely moved to, so I didn't bother.

With these steps, the sshd is still usable for sftp and other items, but using RSA keys, so an attacker is unable to do a brute force attack on the passwords.
or open cydia and add http://cydia.xsellize.com as a source, then search for mobileterminal ios4. I used that to change my passwd
 

joetwizzy

macrumors member
Sep 12, 2008
71
0
Just a quick related question.

As I understand apple set 'apline' as the default root password. So would changing it ever break/confuse any apple applications that need to use root (if there is any)?
 

sico

macrumors newbie
Aug 3, 2010
5
0
Here is a super easy way to change your ssh password. Install rock from Cydia and it will detect your default alpine password and tell you if you want to change your password when you open rock. Just change it from there and then unistall it. The password will still be changed when you uninstall it.
simples!!
 

Mystikal

macrumors 68020
Oct 4, 2007
2,440
0
Irvine, CA
Just a quick related question.

As I understand apple set 'apline' as the default root password. So would changing it ever break/confuse any apple applications that need to use root (if there is any)?
Ive never had any problems with a change password.
 

dieburnbot

macrumors 6502a
Aug 18, 2008
928
2
CA
I have the default password set, but I make sure to turn it off via sbsettings everytime my phone gets rebooted, which isn't very often. I only turn it on when I need it.
 

Similar threads

  • Simon-1979
0
Replies
0
Views
86
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.