Passwords - best practice?

General Discussions
1

Our system runs on a Raspberry Pi 3B+ with Raspberry OS Lite. At the moment we have a production process where a unique password is generated for each device and logged securely, this allows an engineer to access the device over ssh on site locally as needed.

As I understand it when using mender.io it’s not possible to define a unique password for each device? I’m considering the following

  • Create a very secure password for the pi user thats used on all our future images.
  • Generate an ssh key pair for deployment - keep these secure.
  • Disable ssh password login

In future engineers would just need the ssh key to login on site. We could presumably push out new keys and delete old ones via mender.io updates?

2

Hello @edpgcooper ,

If you need to have remote access, then you might want to use the Troubleshoot add-on, and it’s Remote terminal, File transfer features in particular (instead of SSH): Remote Terminal | Mender documentation. Then you can manage user access on the Mender server instead of having passwords on the devices.

Though the unique configuration case is covered by another add-on: Configure. Configure | Mender documentation. Presently it does not encrypt the value strings, so this is something you can consider to do for credentials (and then decrypt them on the device).

Let us know your thoughts, hope it helps!