First of all, great solution. Few glitches to make wifi works correctly and had to reboot many times to have both the Zone and Wifi working properly but once configured correclty, this is solid and resist to reboots.
I would like to know if someone found a way (other that limiting the access to a specific IP with a firewall) to restrict access to the configuration web page of RoPieee. User/Passord, or ssh public key, or Yubikey, etc…
Also, do you know if the image support replacing root login with .ssh/authorized_keys? Or at least is there any impact if I change the default password?
RoPieee is not meant to be used as a distribution that you can tinker with: it is an appliance and should be considered a black box.
That being said: changing the root password seems the most future proof that won’t be reset during an update or something like that.
Would an option in the web uit to change the root password be enough for you? or do you also need a restriction on the web page itself?
@spockfish , Harry — it would seem to me that if one needed to change the root password, it might also be necessary to restrict web admin access as well, as both are important for environments that require some protection against 3rd party “change” to the RoPieee device.
@spockfish Thanks you for your reply, actually, it’s definitely how I understand the product, a black box that I would not customize or touch in any way. That said, there are 2 aspects:
- I do not want my kids to connect on the web interface and break the configuration.
- I would like to limit as much as I can someone entering the black box with root/pass and access my network.
The position of your product, off-the-shelf that just work, is a very good approach to me and therefore I would not really need any ssh access. Actually, I would even remove ssh access with login and password. Plex did that on their embedded version of their endpoint, there is a checkbox in the UI to activate it temporarily.
For 1) I could leave with a login/password or an ssh public key.
Does that sound reasonable?
How about have a web interface which you could disable on/off via SSH, some config file maybe. That way you can easily change the password for SSH or use a key if you want. I don’t think the password/key will get over written on update, but Harry could advise. That way it is the same ‘black box’ for everyone unless someone wants to change the SSH or turn off the web interface?
Yeah that sounds reasonable enough. I’ll put it on the ‘todo list’. Probably in phases, where the simplest one is an option to disable SSH access.
@spockfish thank you! Appreciated!