Securing your CloudReady device

Warning: These changes need to be re-done after each OtA update

 

If you're using the free, Home Edition of CloudReady, then your machine comes with more flexibility and freedom than our paid version. In particular, you have access to the cmd line (using ctl+alt+t or ctl+alt+f2) where you can make changes that are not possible through the GUI. But this extra freedom comes with a loss in security that you may want to counteract.

 

Chromium OS (and thus CloudReady) has only two users by default - root, and chronos. In our Home Edition, root has no password, and chronos has password "chrome". These passwords are universal to all downloads of the Home Edition so that everyone has the same easy way to explore. But, just as Neverware has taken user-advice in the past to reduce network-vulnerability of CloudReady, you may want to change the chronos and root passwords to disallow others from using the cmd line on your machine.

 

Here's how:

STEPS TO CHANGE ROOT AND CHRONOS PASSWORDS:

1) Access a cmd-line using ctl+alt+t (followed by the "shell" command) when at the desktop, or ctl+alt+f2 from anywhere (some computers will need ctl+alt+fn+f2)

2) Allow yourself to make changes to these settings by running:

sudo mount -o rw,remount /

(enter password "chronos" as prompted)

3) Now run the command to actually change the password for chronos:

sudo passwd chronos

(enter the new password you want, following by enter, twice as prompted)

4) Now change the root password to the same or a different password:

sudo passwd root

(enter the new password you want, following by enter, twice as prompted)

5) Now make your disc read-only again for security.

sudo mount -o ro,remount /

 

That's it! You should have as secure of access as you'd like now.

Have more questions? Submit a request

6 Comments

  • Avatar
    Gonz

    Hi Forrest, when the command line screen appears, there are several warnings as the welcome message, including one comment on how to change the password. It is a different command than what you recommend here. I ignored it and preferred to follow your steps, but it is a bit confusing. Maybe this is something you guys could change to be consistent...
    Thanks
    Gonz

  • Avatar
    SignedAdam

    Great stuff, followed everything you said, and now I feel safer, the guide works,

    off topic : now, if only you could enter a pin on the login screen, (not my main google password) that would make life so much easier

    Edited by SignedAdam
  • Avatar
    Marc Higgins

    Hi Forrest, thanks for this guide & all the work you guys have done on CloudReady. Your guide is very helpful & it makes for a much more secure environment. You may want to add to your instructions that after entering "ctl+alt+t" you need to type "shell" before "sudo mount -o rw,remount /"

  • Avatar
    FLahey

    Thanks to Forrest and +1 to Marc comments.

  • Avatar
    Gonz

    It looks like the OTA update to v54.1 erased the previous password settings and went back to default... Forrest, can you confirm?
    Something to keep in mind if we have to execute this routine after every update.

  • Avatar
    Forrest Smith

    Hey Gonz -

    I just checked on this and you're entirely right - I should have anticipated.

    I'll file this as a bug and add a warning note to this article - thanks for bringing this to our attention!

Please sign in to leave a comment.
Powered by Zendesk