STEP-BY-STEP GUIDES SUMMARY
on how to change SSH default passwords after jailbreak
- Don’t install OpenSSH *) (Cydia link for your information) after jailbreak unless you know exactly what you are doing
- If you can’t avoid SSH by all means follow urgently one of the step-by-step guides
- cydia.saurik.com: Change default passwords
Saurik aka Jay Freeman is the developer of the app Cydia—a downloader, installer and repository after jailbreak. “cd” means “change directory”, “su” means “switch user”. (Tutorial designed for mobile browsers.)
- The same mirrored/cached at IT security company F-Secure
- Simple fix: IF jailbreak AND ssh THEN change passwords by MacRumors user Adam Young with comment by iSee (completed subject).
Other guides (the first two are illustrated)
- Blog iClarified: How to Change the Root Password on Your iPhone
The tutorial hoster iClarified is missing something: You also need to change the password for the ‘mobile’ account, or you’re still vulnerable!
- Computer magazine Macworld: Secure your jailbroken iPhone with a password change—mind the update in the Macworld article!
- Blog Extra Future: How To: Change Your iPhone’s Root Password
You can change the iPhone SSH passwords also using a Mac or PC in the same WiFi network. Again missing user ‘mobile’ in this old tutorial by Extra Future, add that. However it’s highly recommended to change the passwords directly on the iPhone before activating OpenSSH (see “Five important hints” below)!
- Wikipedia: Secure Shell (SSH, OpenSSH), Jailbreak, Cydia
- MacRumors.com: New Malicious Worm Affects Jailbroken iPhones in Netherlands [Updated x2]
Cites IT security company Intego: “The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices”
- Apple Support: Unauthorized modification of iPhone OS has been a major source of instability, disruption of services, and other issues
Five important hints
- Note: If you mess up something or forget your new passwords, you’ll probably have to do a factory reset on your phone.
- It is not enough when you disable SSH in SBSettings because it will activate from alone after a restart of the iPhone or on other occasions (p. e. a “respring” with the patched app SpringBoard) and you probably won’t recognize that. SBSettings (Cydia link) is a switchboard app available after jailbreak. Information at Wikipedia on SpringBoard.
- Most important! <paranoia mode ON> After the iPhone has already been on the net with the default passwords the phone could well have already gotten a nasty backdoor (Wiki) and rootkit (Wiki) installed, and is now 0wn3d by some botnet (Wiki). Changing the SSH passwords now does nothing to clean up that mess! Only way to clean up for sure is to reinstall a new OS using DFU mode (Device Firmware Update), and set up the device as new (iClarified: How to Put an iPhone Into DFU Mode). </paranoia mode OFF> Wikipedia: Paranoia
- If you don’t need it any more—delete OpenSSH immediately via Cydia and restart the iPhone because most passwords are weak! **)
- Note: Any Apple iPhone operating system update or restore will set the passwords for both accounts “root” and “user” back to the well-known defaults “alpine” and “dottie”, respectively.
*) How to establish whether or not SSH Daemon is installed
- Open Terminal.app (on Mac OS X) or Mobile Terminal (on jailbroken iPhones; Cydia link)
- Type nothing but which sshd after the prompt ($), “sshd” means “secure shell daemon”
- Hit Return key
- Terminal will tell you in the next line something like “/usr/sbin/sshd” when SSH is installed, otherwise you’ll get an error message
- Quit Terminal by typing exit after the prompt and hit Return
Note that Mac OS X includes OpenSSH by default.
**) Recommended Password Assistant in Mac OS X (10.4 Tiger or newer)
- Choose System Preferences… from the Apple menu
- Look for the headline System, click Accounts; then click the Password tab
- To access Password Assistant, click the Key icon you see when changing or adding a password to an user account (see note below)
The assistant can create the following types of passwords:
- Memorable (the most useful and recommended)
- Letters & Numbers
- Numbers Only
- FIPS-181 Compliant (not recommended but better than nothing)
A slider adjusts the length, and a bar graph shows the quality and security of your generated password. Security experts are saying that it’s not recommended to create a Password hint.
Additionally you’ll get some tips when your password is too weak.
Note: You actually don’t need to add or change an OS account if you just want a password generated by the Mac OS X Password Assistant; when you’ve got the password(s) close the assistant window with the hidden red x in the window’s title bar (top left) and hit Cancel in the untitled higher-ranking window (with the Key icon and Password hint text field). Close System Preferences. Nothing will be changed or added.
For mobile devices there is a password generator available in the highly rated third-party app 1Password Pro (free until December 1st, 2009). App Store Link.
There are several web-based password generators in the net but be careful with that. Could be malicious. Recommended:
Gibson Research Corporation:
GRC’s Ultra High Security Password Generator
Avoid ambiguous characters like capital letter O and number 0, letters I, l, i, j, number 1 and special characters like | (alt+7), /, \, -, –, — and _, ‘, ` and ´, those can be easily confused when reading, writing and typing.
At this stage of information iPhones with no jailbreak are safe to worm infestation. Jailbroken iPhones where OpenSSH is not installed are safe too, as well as those on which OpenSSH is installed, but the two passwords have been modified (see above) before these devices were connected to the internet (via Wi-Fi or cellular) or logged via Bluetooth (Wikipedia) to other online devices.
Last updated on December 19, 2009
Changes, errata, additions
1 December 2009, added:
“…and restart the iPhone” at “Five important hints”, Item 4
1 December 2009, added:
Last column: “Changes, errata, additions”
19 December 2009, added: