Hello there,

It'd been a long time since I used a linux box, but I wondered how much secured is the root account, and all the device in general.

I've read that to gain root access, you use a little package. Does this mean that the account is not password protected?
Same question for the user "user" which we are logged as?

Once the ssh is installed, if the root/user account is unsecured, everyone may access our device, right?

From what I've seen on here, one is asked for a password when installing openssh (which enables logging in as root, default is having rpoot login disabled).

What if:
"ssh user" into the device
then "sudo gainroot"

Will the distant dude gain root access?

The user doesn't have a password AFAIR until you explicitly set one. Until then you can't login as the user.

Yes, though I think that to be able to SSH in as user you need to set the user passwod via root shell (or use public key, same difference anyway) and thus your security as the same as with password enabled root account.

(open|dropbear)ssh server isn't "official nokia package" anyway so you're supposed to know what you're doing.

If you try to ssh into user after installing openssh it'll ask you for a password. No matter what you enter, you won't be able to enter. Not even if you leave it blank.

As the above users have pointed out its because user has no password (now you would think if that's the case then it's just blank, no password right?). But nope, you can't log into user with any method if there's no password set for user.

You first have to get root access on the tablet and then set a password for user to be able to login as user (not sure about what if you try root since I always turn off root login).

And yes, if they ssh user into the device and do sudo gainroot they will have root access. Though if you setup openssh properly (strong password, change port #, and maybe even do some pub/private keys) you won't see what happened to jailbroken iPhones on the Nokia tablets.

With any Linux SSH if you are worried about security, I recommend disallowing root to login directly to the device. I don't have the N900 as I can't afford it, but I believe it uses openssh which would normally put the conf file in /etc/ssh/sshd_config. Set PermitRootLogin no in that file.

Since giving the default "user" account a password could mess up the phone's normal operation you would add a separate user, can call it ssh_user or something, to the device. Would also recommend using security keys if you're really that concerned and disable password ssh altogether. Add the ssh_user to your sudoers file or allow him to use "su" to get up to root.

After all, the N900 just runs Linux... and Linux is one of the most secure operating systems out there.. the security is there, you just might need to enable it and be careful not to impact the phone itself.

Thanks, yeah I thought "no password" meant "blank password", and I was wrong.
I think it is time I read a few howtos on linux and remember things ^_^

Can you give a basis for that statement? I've been running user with a password (for openssh access via publickey; if no user password, key authentication fails automatically) for a couple of days now, and haven't noticed any issues.

As I've said before I don't have the N900.. I said it could.. I didn't want to offer advice to do something that I personally hadn't tested without a form of disclaimer.

If you're running the default user with a pass with no issues then great... people can instead use the user account and just give it a password. I was offering a solution that I was relatively certain wouldn't affect anything,