/media/bill/HOWELL_BASE/System_maintenance/RaspberryPi/rename default pi user.txt
www.BillHowell.ca  22Dec2017 initial


**********************
My commands/results 

$ ssh -X pi@192.168.1.5
>> I logged with passwd
pi@raspberrypi:~ $ sudo useradd -m tempuser -s /bin/bash
pi@raspberrypi:~ $ sudo passwd tempuser
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
pi@raspberrypi:~ $ sudo usermod -a -G sudo tempuser
pi@raspberrypi:~ $ grep sudo /etc/group
sudo:x:27:pi,guest,tempuser
pi@raspberrypi:~ $ exit
logout
Connection to 192.168.1.5 closed.
>> I logged out as "pi" on the raspberry pi
$ ssh -l tempuser 192.168.1.5
tempuser@192.168.1.5's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tempuser@raspberrypi:~ $ id
uid=1003(tempuser) gid=1003(tempuser) groups=1003(tempuser),27(sudo)
tempuser@raspberrypi:~ $ cd /etc
tempuser@raspberrypi:/etc $ sudo tar -cvf authfiles.tar passwd group shadow gshadow sudoers lightdm/lightdm.conf systemd/system/autologin@.service sudoers.d/* polkit-1/localauthority.conf.d/60-desktop-policy.conf

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for tempuser: 
passwd
group
shadow
gshadow
sudoers
lightdm/lightdm.conf
systemd/system/autologin@.service
sudoers.d/010_pi-nopasswd
sudoers.d/README
polkit-1/localauthority.conf.d/60-desktop-policy.conf
tempuser@raspberrypi:/etc $ cd /etc
tempuser@raspberrypi:/etc $ sudo sed -i.$(date +'%y%m%d_%H%M%S') 's/\bpi\b/bill/g' passwd group shadow gshadow sudoers lightdm/lightdm.conf systemd/system/autologin@.service sudoers.d/* polkit-1/localauthority.conf.d/60-desktop-policy.conf
tempuser@raspberrypi:/etc $ grep bill /etc/group
adm:x:4:bill
dialout:x:20:bill
cdrom:x:24:bill
sudo:x:27:bill,guest,tempuser
audio:x:29:bill,pulse
video:x:44:bill
plugdev:x:46:bill
games:x:60:bill
users:x:100:bill
input:x:101:bill
netdev:x:108:bill,guest
bill:x:1000:
spi:x:999:bill
i2c:x:998:bill
gpio:x:997:bill
bill3:x:1002:
tempuser@raspberrypi:/etc $ sudo mv /home/pi /home/bill
tempuser@raspberrypi:/etc $ sudo ln -s /home/bill /home/pi
>> Problem fixed with line break of :
tempuser@raspberrypi:/etc $ sudo [ -f /var/spool/mail/pi ] && sudo mv -v /var/spool/mail/pi /var/spool/mail/bill '/var/spool/mail/pi' -> '/var/spool/mail/bill'
tempuser@raspberrypi:/etc $ ssh -l bill 192.168.1.5
The authenticity of host '192.168.1.5 (192.168.1.5)' can't be established.
ECDSA key fingerprint is a0:1c:ae:92:1d:da:ed:db:1a:e6:71:45:83:a6:3f:a9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.5' (ECDSA) to the list of known hosts.
bill@192.168.1.5's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Dec 22 13:17:00 2017 from 192.168.1.4
tempuser@raspberrypi:/etc $ cd
bill@raspberrypi:~ $ ls -al
total 1356
drwxr-xr-x 31 bill bill    4096 Dec 22 13:28 .
drwxr-xr-x  6 root root    4096 Dec 22 13:38 ..
-rw-r--r--  1 bill bill 1202089 Jun 30  2016 160630 du root.txt
-rw-r--r--  1 bill bill      69 May  8  2017 .asoundrc
-rw-------  1 bill bill    6488 Dec 22 13:28 .bash_history
-rw-r--r--  1 bill bill     220 May 10  2016 .bash_logout
-rw-r--r--  1 bill bill    3512 May 10  2016 .bashrc
drwxr-xr-x  2 bill bill    4096 Sep 24 12:28 bin
drwxr-xr-x 14 bill bill    4096 Nov  2 15:34 .cache
drwx------  8 bill bill    4096 Sep 13 17:48 .claws-mail
drwxr-xr-x 21 bill bill    4096 Nov 26 09:48 .config
drwx------  3 bill bill    4096 May 10  2016 .dbus
drwxr-xr-x  2 bill bill    4096 May 10  2016 Desktop
-rw-r--r--  1 bill bill      55 Dec 22 08:26 .dmrc
drwxr-xr-x  6 bill bill    4096 Dec 22 08:42 Documents
drwxr-xr-x  2 bill bill    4096 Nov  2 16:06 Downloads
drwx------  2 bill bill    4096 Jun 30  2016 .gconf
drwxr-xr-x 24 bill bill    4096 Nov 26 09:46 .gimp-2.8
drwx------  2 bill bill    4096 Dec  7 12:40 .gnupg
drwxr-xr-x  2 bill bill    4096 May 10  2016 .gstreamer-0.10
-rw-r--r--  1 bill bill      26 Sep 13 18:11 .gtkrc-2.0
-rw-------  1 bill bill      54 Nov 26 14:13 .lesshst
drwxr-xr-x  3 bill bill    4096 Dec 31  1969 .local
drwx------  4 bill bill    4096 Nov  2 11:28 .mozilla
drwxr-xr-x  2 bill bill    4096 May 10  2016 Music
drwxr-xr-x  3 bill bill    4096 May 27  2017 MyClubs
drwxr-xr-x  2 bill bill    4096 May 10  2016 .oracle_jre_usage
drwxr-xr-x  2 bill bill    4096 May 10  2016 Pictures
-rw-r--r--  1 bill bill     675 May 10  2016 .profile
drwxr-xr-x  2 bill bill    4096 May 10  2016 Public
drwxr-xr-x  2 bill bill    4096 Dec 31  1969 python_games
drwxr-xr-x  2 bill bill    4096 Sep 24 12:35 Qnial
drwxr-xr-x  2 bill bill    4096 Dec  7 10:03 System_maintenance
drwxr-xr-x  2 bill bill    4096 May 10  2016 Templates
drwxr-xr-x  3 bill bill    4096 Dec 31  1969 .themes
drwx------  4 bill bill    4096 May 10  2016 .thumbnails
drwx------  5 bill bill    4096 Nov  1 20:30 .thunderbird
drwxr-xr-x  2 bill bill    4096 May 10  2016 Videos
drwxr-xr-x 10 bill bill    4096 May 10  2016 .WolframEngine
drwxr-xr-x  3 bill bill    4096 May 10  2016 .Wolfram Research
-rw-------  1 bill bill     113 Dec 22 13:28 .Xauthority
-rw-r--r--  1 bill bill    7889 Oct 27 09:43 .xscreensaver
-rw-------  1 bill bill    2824 Dec 22 10:57 .xsession-errors
-rw-------  1 bill bill     353 Dec 22 08:26 .xsession-errors.old


>> Checking the result
I logged into bill on Pi :




************************************
http://unixetc.co.uk/2016/01/07/how-to-rename-the-default-raspberry-pi-user/

How to Rename the Default Raspberry Pi User
Posted on January 7, 2016	

UPDATED December 2017 for Rasbian Stretch. The Raspberry Pi comes with a default user called “pi”, whose initial password is also set to a well known default. While this makes it easy to use the system, it is not very secure. Anyone with physical access to your Pi could login with these widely known credentials. Furthermore, if you have enabled the SSH server, users on the local network could do the same.

Even if you have changed the “pi” user password, just having a user name that is universally known is still a security risk. The following article explains how to safely rename the “pi” user to something more secure.

The procedure starts with a Raspberry Pi running the latest Raspbian image (Stretch), with no other modifications. It should also work with the older Raspbian versions Jessie and Wheezy.

Caution: Changing the name of the “pi” user will cause a couple of the features of the raspi-config script to stop working, namely the option 2 to change pi’s password (the “passwd” command can easily be used instead), and option 3 to change the boot environment. It will also prevent menu item “Menu->Preferences->Raspberry Pi Configuration” (the graphical equivalent of raspi-config) from running altogether. If these are important to you, consider not continuing with this procedure.

NOTE: Some procedures on the Internet suggest using the usermod command to just rename the “pi” account. I would not recommend this, because usermod does not update secondary group ownerships, and the Pi user user has many of these. For example, the pi user is able to read the /var/log/syslog file by virtue of being a member of the adm group. Altering the pi user with usermod will break this functionality, as well as other features of the Pi account.

Also, the usermod command will often fail, especially on Raspbian 8 (Jessie), with the error message “usermod: user pi is currently used by process“. This is because user pi owns several system processes by default (in Jessie), and further because you may be logged in as pi and thus own one or more shell processes.
Summary

The “pi” user account has higher privileges than a normal Unix user account. This is so that you can use the “pi” account to manage the system effectively. As well as being enabled for sudo, “pi” user is a member of no less than 15 user groups, whereas a normal Unix user usually has only one or two group memberships. Changing the name of the “pi” user is therefore a little more challenging than changing the name of a normal Unix user.

In this procedure, a temporary user account is created and then used to change the “pi” user name. A sed pipeline performs the edits automatically. Afterwards, the temporary user is deleted.
Create a Temporary User Account

Log into your Pi from another system. Login as “pi” user.

Create a temporary user account as follows. This account will be used to make changes to the existing “pi” account and to other parts of the system. At the conclusion of this procedure, the temporary account will be deleted. Type following commands.

pi@pi ~ $ sudo useradd -m tempuser -s /bin/bash
pi@pi ~ $ sudo passwd tempuser

Type a suitable password for the “tempuser” account.

Add the “tempuser” user to the group “sudo”:

pi@pi ~ $ sudo usermod -a -G sudo tempuser

Check the group file. You should see “temp” user has been added to the sudo group:

pi@pi ~ $ grep sudo /etc/group
sudo:x:27:pi,tempuser

Looks good. Now log out of your Raspberry Pi altogether (you are currently logged in as user pi). You should not have any active logins as “pi”. If so, log out of all those sessions.
Login as Temporary User

Login to the Pi again, this time as user tempuser, using the password you created above. I am using SSH from another Linux system, so I do it like this.

othersystem$ ssh -l tempuser <IP address of Pi>

 

Once the login has completed, check that you are now “tempuser”:

tempuser@pi ~ $ id
uid=1001(tempuser) gid=1004(tempuser) groups=1004(tempuser),27(sudo)

That looks correct. NB The numbers 1001, 1004 etc. don’t matter. Yours might be slightly different.
Rename “pi” User

For this example I will change the name of the “pi” user to “frederick”. You should select a different name of your own choosing.

We need to change every reference to “pi” to (say) “frederick” within the files /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow, /etc/sudoers, /etc/lightdm/lightdm.conf, /etc/systemd/system/autologin@.service, /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf and, in more recent Raspbian releases, /etc/sudoers.d/010_pi-nopasswd. We could simply edit each file separately. However it is easier to use the following command, especially since /etc/group (for example) contains 14 or more occurrences of “pi”. As well as being tedious, performing the edits manually could lead to errors that might prevent the pi from working properly, or even make it difficult to login at all.

First, take a backup of each file. The following tar command will do it.

tempuser@pi ~ $ cd /etc
tempuser@pi /etc $ sudo tar -cvf authfiles.tar passwd group shadow gshadow sudoers lightdm/lightdm.conf systemd/system/autologin@.service sudoers.d/* polkit-1/localauthority.conf.d/60-desktop-policy.conf

If you have just seen a couple of error messages about some missing files, eg. lightdm.conf, it probably means you are using a “lite” version of Raspbian. It doesn’t matter though, the command still worked, just carry on with the procedure.

Now issue the following commands to make the changes. Be very careful to get it absolutely as written, including every slash, star, backslash and character, (except that you should replace the word “frederick” with your chosen name):

tempuser@pi ~ $ cd /etc
tempuser@pi /etc $ sudo sed -i.$(date +'%y%m%d_%H%M%S') 's/\bpi\b/frederick/g' passwd group shadow gshadow sudoers lightdm/lightdm.conf systemd/system/autologin@.service sudoers.d/* polkit-1/localauthority.conf.d/60-desktop-policy.conf

The long “sed” command changes every occurrence of the word “pi” in each of the files to “frederick”. Before the change is made however, another backup copy of each file is created, just in case something went wrong or you ever want to undo the change. Having two backups isn’t really needed, it just provides some extra assurance in case the procedure does not work. NB. Raspbian Lite users might see a few messages about missing files again. It doesn’t matter, the command still worked, just carry on.

Check that the changes were made as follows. Replace “frederick” with your chosen name. You should see many matches, as shown.

tempuser@pi ~ $ grep frederick /etc/group
adm:x:4:frederick
dialout:x:20:frederick
cdrom:x:24:frederick
sudo:x:27:frederick,tempuser
audio:x:29:frederick
video:x:44:frederick
plugdev:x:46:frederick
games:x:60:frederick
users:x:100:frederick
input:x:101:frederick
netdev:x:108:frederick
frederick:x:1000:
spi:x:999:frederick
i2c:x:998:frederick
gpio:x:997:frederick

This shows that every occurrence of “pi” in the file /etc/group has been changed to “frederick”.
Change the Name of the Pi Home Directory

Rename the “pi” user’s home directory.

tempuser@pi /etc $ sudo mv /home/pi /home/frederick

Then create a soft link as follows.

tempuser@pi /etc $ sudo ln -s /home/frederick /home/pi

The purpose of the soft link is to correctly resolve any broken references to the old “pi” home directory. For example, it prevents menu items such as “Python Games” from disappearing. Menu entries are controlled by files (under /usr/share/raspi-ui-overrides/applications), which refer to “/home/pi/<whatever>”. Creating the soft link allows the reference to resolve and is a common practice in this kind of situation.
Change the Name of the Crontab File

Rename the “pi” user’s crontab file. Remember to replace “frederick” in the following command with your chosen user name.

tempuser@pi /etc $ sudo [ -f /var/spool/cron/crontabs/pi ] && sudo mv -v /var/spool/cron/crontabs/pi /var/spool/cron/crontabs/frederick
'/var/spool/cron/crontabs/pi' -> '/var/spool/cron/crontabs/frederick'

If the cron tab file called “pi” exists, it will be renamed to “frederick”. If it does not exist, the above command has no effect and nothing is printed. The cron file will exist only if you have previously set up cron jobs for execution under the “pi” user. Those jobs will now continue to be active for user “frederick”, in this example.
Change the Name of the Mail File

If you have ever used email as user “pi”, then a mail file will exist for the user, and it’s name should now be updated.

tempuser@pi /etc $ sudo [ -f /var/spool/mail/pi ] && sudo mv -v /var/spool/mail/pi /var/spool/mail/frederick
'/var/spool/mail/pi' -> '/var/spool/mail/frederick'

If the mail file called “pi” exists, it will be renamed to “frederick”. Emails that were previously sent or received by user “pi” are now available for user “frederick”, in this example. If the file does not exist, the above command has no effect and no message is printed.
Completion

That completes the renaming of the “pi” user. The “pi” user no longer exists, as such. It has been renamed to “frederick”, or whatever name you have chosen. From now on you should log in with the new name. Any operations that were possible with the “pi” user will also be possible with your renamed user.
Test the New User

In another window on a remote system, try to login to the Pi as your new user.

othersystem $ ssh -l frederick <IP address of pi>

Use the same password as previously used for the “pi” user.

Alternatively, if you are using the Pi desktop (the GUI), you could simply logout (Menu->Shutdown->Logout), and then login again with your new user name.

Any data that previously belonged to the “pi” user now belongs to your renamed user (“frederick” in this case), including the pi home directory and everything in it. Check it now:

frederick@pi ~ $ cd
frederick@pi ~ $ ls -al
total 24
drwxr-xr-x 2 frederick frederick 4096 Dec 15 21:16 .
drwxr-xr-x 4 root      root      4096 Dec 17 12:11 ..
-rw------- 1 frederick frederick  773 Dec 17 11:52 .bash_history
-rw-r--r-- 1 frederick frederick  220 Nov 21 20:32 .bash_logout
-rw-r--r-- 1 frederick frederick 3512 Nov 21 20:32 .bashrc
-rw-r--r-- 1 frederick frederick  675 Nov 21 20:32 .profile
...and so on

Change the User Password

If your user password is still the same as the factory default (perhaps because you never changed it for “pi” user), change it to something more secure now:

frederick@jessie:/etc $ passwd frederick
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Remove the Temporary User

Finally, once you are satisfied that the renamed “pi” account (“frederick” above) is working correctly, delete tempuser as follows. If you have any sessions logged into the pi as tempuser, log them out first.

frederick@pi ~ $ sudo userdel tempuser

It might be a good idea to delay this step for a few days, after you have logged into the Pi several times as your renamed user, and you can therefore be sure the renamed user is operating correctly.
Notes

You should find that pressing shift-ctrl-F1 to exit from the graphical desktop into the terminal works as before, with your new user name being auto logged into the terminal. This was achieved when the systemd/system/autologin@.service file was changed.

The udisksctl should also continue to work, if you are a user of that. Changes made to the file 60-desktop-policy.conf switched control of that command from the “pi” user to your new user name.
Conclusion

I hope that this procedure has been useful. Thanks to Simon Blake, Sam Roberts and Nicolas from moodlebox.net and Dooley for file updates (see below).
This entry was posted in Linux, Raspberry Pi, Security and tagged /etc/group, /etc/gshadow, /etc/passwd, /etc/shadow, /etc/sudoers, 60-desktop-policy.conf, autologin@.service, change the pi user, default password, default user, factory default, group, gshadow, home, jessie, lightdm.conf, passwd, pi, pi password, pi user, raspberry pi, raspbian, shadow, sudoers, useradd, usermod, usermod: user pi is currently used by process, wheezy by Jim. Bookmark the permalink. 





# enddoc