Hi!
We are developing a project and we want to deploy it via resin.io.
We have received some questions about the security of resin.io from the IT guys that we are not able to answer to.
All the questions are referred to production images:
- Is there a root user? If yes, which is the password?
- If someone stoles the SD card, could in some way modify it and activate a local ssh on the device as in the development image?
- How works the SSH connection available with the dashboard and the resin-cli?
Thank you for the support!
Hi,
Happy to answer the questions:
- Yes there is a root user, but there is no valid password for the root user.
- Yes, the SD card holds the OS image, so in case someone get access to the SD card they can install arbitrary software on it (like an additional ssh server), set up new users, inject trusted ssh keys etc. They can replace the whole operating system and boot something completely different on the device.
- The SSH connection via the dashboard, connects to one of our back end services which connects using ssh to the device via our VPN infrastructure and uses public key authentication to log in to the device.
I hope this answers your questions.
Best regards,
Andreas