Harden first-boot SSH by removing the default password and adding optional authorized_keys import

Author: blackcoffeexbt

docs/development.md

@@ -206,13 +206,31 @@ sudo dd if=image.img of=/dev/sdX bs=4M status=progress conv=fsync
 After flashing and booting the Raspberry Pi 4:
 
 1. The Pi will automatically connect via DHCP
-2. Navigate to `http://<pi-ip-address>/` to access the setup wizard
-3. Complete the wizard to:
+2. Optional: for headless SSH before initial configuration, place an `authorized_keys` file on the firmware partition before first boot
+3. Navigate to `https://<pi-ip-address>/` to access the setup wizard
+4. Complete the wizard to:
    - Generate/import your Spark wallet seed
    - Set SSH password for `lnbitsadmin` user
    - Configure and start LNbits
 
-After setup is complete, access LNbits at: `http://<pi-ip-address>/`
+After setup is complete, access LNbits at: `https://<pi-ip-address>/`
+
+### Optional first-boot SSH access
+
+The image no longer ships with a default SSH password.
+
+If you want SSH access before completing the web configurator:
+
+1. Mount the firmware partition after flashing the SD card.
+2. Rename `authorized_keys.example` to `authorized_keys`.
+3. Paste one or more SSH public keys into that file, one per line.
+4. Boot the device and connect with:
+
+```bash
+ssh lnbitsadmin@<pi-ip-address>
+```
+
+The imported key is installed for the `lnbitsadmin` account before `sshd` starts. Password login for `lnbitsadmin` only becomes usable after you set a password in the configurator.
 
 ### Build Issues (For developers)
 
@@ -354,4 +372,4 @@ source venv/bin/activate
 pip install mnemonic
 export DEV_MODE=true
 python3 app.py
-```
+```

nixos/configuration.nix

@@ -49,7 +49,7 @@
   services.openssh.enable = true;
   services.openssh.settings = {
     PermitRootLogin = "no";
-    PasswordAuthentication = true; # simple first boot; change to keys-only if you want
+    PasswordAuthentication = true; # disabled in practice until configurator sets a real user password
   };
 
   # Enable console on HDMI (keeps display active and shows login prompt)
@@ -80,13 +80,10 @@
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # wheel = sudo access
 
-    # Option 1: Set initial password (plaintext - stored in /nix/store)
-    # User can change it after first login with 'passwd'
-    initialPassword = "lnbits";
-
-    # Option 2: Use a hashed password (more secure - see example below)
-    # hashedPassword = "$y$j9T$...your-hashed-password-here...";
-    # Generate with: mkpasswd -m yescrypt
+    # Ship without a usable password. The configurator assigns the first
+    # real SSH password, and an optional authorized_keys file on the
+    # firmware partition can enable headless key-based access before setup.
+    hashedPassword = "$y$j9T$rJ6NmGZ7zE0U4N2hW0g2P.$e6TQ5QliNd3I.M0A2Y2vG7tUc1IQQ6pwT0nMY5myoN5";
   };
 
   security.sudo.wheelNeedsPassword = true;
@@ -98,6 +95,46 @@
     (pkgs.callPackage ./reset-configurator.nix { })
   ];
 
+  systemd.services.lnbitsbox-firstboot-authorized-keys = {
+    description = "Import optional first-boot SSH authorized_keys";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "sshd.service" ];
+    after = [ "local-fs.target" "users.target" ];
+    unitConfig = {
+      ConditionPathExists = "!/var/lib/lnbits/.configured";
+    };
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = with pkgs; [ coreutils gnused shadow ];
+    script = ''
+      KEY_SOURCE="/boot/firmware/authorized_keys"
+      TARGET_HOME="/home/lnbitsadmin"
+      TARGET_DIR="$TARGET_HOME/.ssh"
+      TARGET_FILE="$TARGET_DIR/authorized_keys"
+
+      if [ ! -s "$KEY_SOURCE" ]; then
+        echo "No first-boot authorized_keys file found."
+        exit 0
+      fi
+
+      if [ -e "$TARGET_FILE" ]; then
+        echo "authorized_keys already exists for lnbitsadmin, skipping import."
+        exit 0
+      fi
+
+      USER_GROUP="$(id -gn lnbitsadmin)"
+
+      install -d -m 0700 -o lnbitsadmin -g "$USER_GROUP" "$TARGET_DIR"
+      sed '/^[[:space:]]*$/d; s/\r$//' "$KEY_SOURCE" > "$TARGET_FILE"
+      chown lnbitsadmin:"$USER_GROUP" "$TARGET_FILE"
+      chmod 0600 "$TARGET_FILE"
+
+      echo "Imported SSH authorized_keys for lnbitsadmin from firmware partition."
+    '';
+  };
+
   # Display first-boot instructions on login
   environment.etc."motd".text = ''
     ╔═══════════════════════════════════════════════════════════╗
@@ -112,6 +149,11 @@
       • Setting your SSH password
       • Launching LNbits
 
+    Optional headless SSH before setup:
+      • Put your public keys in /boot/firmware/authorized_keys
+      • Sign in as lnbitsadmin using key-based auth
+      • There is no default SSH password on the image
+
     Already configured? LNbits is available at the same URL.
 
     To find this device's IP address, run: ip addr show

nixos/wifi-config.nix

@@ -165,6 +165,19 @@ PASSWORD=YourWiFiPassword
 
 # Optional: Set to true if your network is hidden
 # HIDDEN=true
+EXAMPLE
+
+    cat > firmware/authorized_keys.example << 'EXAMPLE'
+# LNbitsBox first-boot SSH keys
+#
+# To enable headless SSH access before completing the web configurator:
+# 1. Rename this file to authorized_keys
+# 2. Paste one or more SSH public keys below, one per line
+# 3. Boot the device and sign in as lnbitsadmin using your SSH key
+#
+# There is no default SSH password on the image.
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMReplaceThisWithYourPublicKey user@example
 EXAMPLE
   '';
 }