reference
Creating a new user
As mentioned, it's a good idea to get rid of the default 'pi' user just to make it harder for anyone who might try to hack you (and there are automated methods that might find you and try it, especially as the Pi itself becomes more popular and the default account details remain the same for each one).
Going into detail on how Linux controls access rights and permissions for users is beyond the scope of this article, but suffice to say it has a concept of "users" and "groups" – users can belong to any number of groups, and groups are used to control permissions and access to files, directories, etc. It's through this system that Linux machines are administered. We want to get a list of groups that the default Pi user belongs to, so that we can create a new user which belongs to all the same groups – and therefor can do everything that the default Pi user can do. Belonging to all the same groups as the 'pi' user is not strictly necessary (and can be a bad idea if you're determined to be as secure as possible), but it can be useful if you want do other stuff with your Pi later. It also keeps this post simpler because being more restrictive would require more knowledge of Linux administration. You can figure that out later if you feel you want to. In the Bash prompt type:
groups
You will see a list output similar to the one below – yours may be different to mine (this article will become old and out of date) so pay attention to your list and not mine!
pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
Now we can create a new user. Type the following into the command prompt but remember to use your list of groups (minus the first 'pi' item) and replace USERNAME with the username you want to create. Make sure you type it all on one line (if you're seeing the line wrap here that's just to make things readable for you).
sudo useradd -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi USERNAME
Next we set a password for the new user:
sudo passwd USERNAME
Complete the prompts as they appear.
Deleting the default 'pi' user
N
Next you need to add the newuser to the "sudoers" file
Next edit the autologin for the desktop, and replace "pi" with the new user.
Scroll down to the bottom of the file and change the "autologin-user=pi" to the new user. Save and exit.
Now edit the "autologin@.service" file, that where the "pi" processes are coming from, and change it to the new user.
Sudo reboot
The Pi will turn itself off. Un-plug the power, plug in the network cable, then plug the power back in. The Pi will boot up and leave you in a Bash shell asking for a login name: Log-in with your newly created user's details (i.e., don't log in as 'pi').
Type:
Next you need to add the newuser to the "sudoers" file
- CODE: SELECT ALL
sudo visudo
Next edit the autologin for the desktop, and replace "pi" with the new user.
- CODE: SELECT ALL
sudo nano /etc/lightdm/lightdm.conf
Scroll down to the bottom of the file and change the "autologin-user=pi" to the new user. Save and exit.
Now edit the "autologin@.service" file, that where the "pi" processes are coming from, and change it to the new user.
- CODE: SELECT ALL
sudo nano /etc/systemd/system/autologin@.service
- CODE: SELECT ALL
ExecStart=-/sbin/agetty --autologin pi --noclear %I $TERM
Sudo reboot
The Pi will turn itself off. Un-plug the power, plug in the network cable, then plug the power back in. The Pi will boot up and leave you in a Bash shell asking for a login name: Log-in with your newly created user's details (i.e., don't log in as 'pi').
Type:
sudo deluser --remove-all-files pi
There will be a bunch of stuff it couldn't do, but at the end it should say
Removing user `pi' ...
Warning: group `pi' has no more members.
Done.
OK, now you've deleted pi, you can go setup things with your new, safer, username.
Optional step: Setting up Fail2Ban
This application helps to prevent hacking attempts by detecting log-in attempts that use a dictionary attack and banning the offending IP address for a short while. NOTE: If you're using SSH Key Pairs and have disabled SSH Password Authentication then you may not want to bother with this as no-one can hack their way in via a dictionary attack anyway.
sudo apt-get install fail2ban
Wait for this to complete; it should be fine running the default set up so you can stop there, or learn more about customising fail2ban.
