Not going to stop me from jailbreaking, but this article on iPhone Atlas is worth noting... scary stuff!

http://news.cnet.com/8301-27080_3-10389809-245.html?tag=mncol;title

http://i.i.com.com/cnwk.1d/i/bto/20091103/iPhoneJailbrokenHack_270x400.png

Well.

You're a bonehead if you don't change root password.

It's a universal password.

You're also a bonehead if you leave SSH running all the time.

Thanks psylichon! How do you change the Root password in SSH? Is it in the options of Cyberduck?

I keep my SSH off when not in use but would like to change it anyhoo.

Thanks psylichon! How do you change the Root password in SSH? Is it in the options of Cyberduck?

I keep my SSH off when not in use but would like to change it anyhoo.
That would be wise.
http://iphoneoverdose.com/2008/how-to-change-the-default-alpine-ssh-password-on-your-iphone/

You can do it through putty or download mobile terminal.

The command is: passwd

If you do it through mobile terminal your have to su root.

It's very simple. Follow that guide above.

I've downloaded mobileterminal twice and it closes a couple seconds after opening it up.

We all knew this when we first installed SSH via installer.

I toggle it off all the time, I only use it for mods. I knew it would be a matter of time before people started taking adavatage of the iPhone via ssh.

Just to let the other guys know, if you change your password, don't forget what it is, or you will have to restore and re-jailbreak to get it back to 'alpine'

Good thing I don't SSH

I just keep SSH off when I'm not actively changing anything. And since I don't theme these days, the only time I go in there is to change my email alert tone. :)

Yeah, but it turns itself on every time you reboot.

That would be wise.
http://iphoneoverdose.com/2008/how-to-change-the-default-alpine-ssh-password-on-your-iphone/


For ease;

Lauch Mobile Terminal.

Type: passwd
Type: alpine
Type: whatever you like (new password)
Type: type in the same as above. (new password repeated)

This will change the default password, to the one which you would like to use.

Yeah, but it turns itself on every time you reboot.

Turn it off everytime it reboots.

Just think of them as closing-up checks ;)

Don't forget to change mobile as well.

how do you change mobile

how do you change mobile

SSH into your phone or use mobile terminal.

su mobile

Change it change like you did root.

For ease;

Lauch Mobile Terminal.

Type: passwd
Type: alpine
Type: whatever you like (new password)
Type: type in the same as above. (new password repeated)

This will change the default password, to the one which you would like to use.

That could be dangerous advice, as it assumes the user is logged in as root. If they are logged in as mobile, which is how Mobile Terminal defaulted for me, they would merely change the mobile user password.

To change between mobile and root users type

login root or login mobile


Change both passwords!



--
Mike

Turn it off everytime it reboots.

Just think of them as closing-up checks ;)
Yes, obviously. ;)
I was just saying that it's a PITA to have to remember to do that. Sooner or later, you'll forget.

In the olden days, there used to be a utility to keep SSH from starting on bootup.

I'm not sure if you're being facetious or not. Is there a utility or is it really gone?

There really used to be a utility that did that.

Europa you doubt Naps? I think you've had a stressful day.:dft012:wink

If you change the password then it won't be so risky if you forget to turn it off. Sort of like having a router on all the time. Lot of people don't change the default passwords in those either.

I seem to remember a "SSH off after reboot" option somewhere as well. Perhaps it was a Bossprefs feature that never made it over to SBSettings?

Good thing I don't SSH

Same here. I was considering it but I'm sure I can live without it.

Don't think I'd ever use it much anyway.

I think this thread should actually be titled "SSH is a security risk". Jailbreaking in itself doesn't seem to be the problem.

SSH itself is very secure. You just need to have a good password.

I seem to remember a "SSH off after reboot" option somewhere as well. Perhaps it was a Bossprefs feature that never made it over to SBSettings?

I think you're right that it was a BossPrefs setting.

Wouldnt they also have to know your IP address etc.

Must be hard work for a hacker to guess a particular IP address and guess its an iPhone user? Seems a lot of hard work?

Wouldnt they also have to know your IP address etc.

Must be hard work for a hacker to guess a particular IP address and guess its an iPhone user? Seems a lot of hard work?

Not too hard actually.

It does take a little effort.

One scenario:

But, if you're at a wifi spot you could just rip through likely addys.

192.168.1.x

Something like that. Then find one and you're basically in.

i just checked my sbsettings right after a reboot and ssh was off without me turning it off...then again i need to rejailbreak and all that fun because my sbsettings wont hide anything

Not going to stop me from jailbreaking, but this article on iPhone Atlas is worth noting... scary stuff!


That would be wise.
http://iphoneoverdose.com/2008/how-to-change-the-default-alpine-ssh-password-on-your-iphone/

I wondered about this sort of thing... Thanks for the heads up and the how-to-link respectively, much appreciated!

(I don't have enough posts to activate the Thanks button yet.)

I seem to remember a "SSH off after reboot" option somewhere as well. Perhaps it was a Bossprefs feature that never made it over to SBSettings?

The bossprefs feature that I used was not to keep SSH off after a reboot, but rather to ensure it WAS ON. The reason for this was that around firmware 1.2 the Springboard.app was rather flaky. For example if you installed "one too many" apps your springboard could possibly not load--this of course was before the app store even existed. Or a mod gone wrong could leave you in a similar state.

Your only option, since the phone was stuck at a blank screen or Apple logo, was to restore. Unless, of course, you had SSH installed and set to turn on after a reboot. Then it was a matter of SSH'ing into the iPhone, fixing the problem, and voila, it would get to the springboard without issue--no restore needed.

In those days no one with the stamina to jailbreak left their root password at the default, so security was not much of an issue. And in the early days the mobile user was not used, so everything ran as root.

I kinda miss those days. :(



--
Mike

That could be dangerous advice, as it assumes the user is logged in as root. If they are logged in as mobile, which is how Mobile Terminal defaulted for me, they would merely change the mobile user password.

To change between mobile and root users type

login root or login mobile


Change both passwords!



--
Mike

Thanks for that! Mine defaulted to "mobile" as well, I had to change to root.

You guys contemplating using SSH should not be afraid to use it. Change your passwords to something more secure than "alpine" which is common knowledge and turn SSH off when you're not using it.

Simple as that.

hmmm, i would like to do this, but when im in mobile terminal it wont let me enter anything when it asks for old password(alpine) i cant enter in any text. any thoughts?

hmmm, i would like to do this, but when im in mobile terminal it wont let me enter anything when it asks for old password(alpine) i cant enter in any text. any thoughts?

You are entering the password, it just does not advance the cursor on the screen for security reasons (i.e., not showing how many characters you're typing).

hmmm, i would like to do this, but when im in mobile terminal it wont let me enter anything when it asks for old password(alpine) i cant enter in any text. any thoughts?

I'm not sure what you meant by can't enter any text, but no text is displayed when entering the password in response to the passwd command. Just type it in correctly, press return, and it should work.



--
Mike

hmmm, i would like to do this, but when im in mobile terminal it wont let me enter anything when it asks for old password(alpine) i cant enter in any text. any thoughts?
It doesn't show the cursor moving, but it is inputting characters. It's not unusual, lot of command line interfaces work like that when inputting passwords. Try typing 'alpine' and hit Return, even though it looks like nothing was typed. You should see the prompt for the new password come up.

aaah, that did it. thanks everyone.

That could be dangerous advice, as it assumes the user is logged in as root. If they are logged in as mobile, which is how Mobile Terminal defaulted for me, they would merely change the mobile user password.

To change between mobile and root users type

login root or login mobile


Change both passwords!



--
Mike

What's the default password for the mobile account these days? Apparently it is no longer dottie.

My habit has always been to just keep the SSH service off except when using, but the password changes are something I've been lazy / shy about for too long, as I recall issues with these changes on earlier firmwares.

It's alpine for both, Patrick. Dottie is another memory from yesteryear :) .



--
Mike

It's alpine for both, Patrick. Dottie is another memory from yesteryear :) .



--
Mike

DOH. It sure is. Had tried that, but obviously fat-fingered it in Mobile Terminal. Thanks Mike.

http://us.cnn.com/video/?/video/tech/2009/11/04/dcl.data.doc.smartphones.cnn

MobileTerminal does not work for me.
I have an iPhone 3GS running 3.1.2.
I installed MobileTerminal from Cydia.
But, everytime I run it, it shows the keyboard for an instant, then the keyboard disappears. i shut my phone down and restarted and still have the same problem.

What am I doing wrong?

MobileTerminal does not work for me.
I have an iPhone 3GS running 3.1.2.
I installed MobileTerminal from Cydia.
But, everytime I run it, it shows the keyboard for an instant, then the keyboard disappears. i shut my phone down and restarted and still have the same problem.

What am I doing wrong?

Interesting. It's working great on 3.1.2 for me. Try uninstalling it through Cydia. Reboot. Reinstall. Reboot. And then open it up.

I had the same exact problem cashonly but it works great now. So follow Kaba's advice and you should have it.

Interesting. It's working great on 3.1.2 for me. Try uninstalling it through Cydia. Reboot. Reinstall. Reboot. And then open it up.

Unfortunately, that did not work for me.

Unfortunately, that did not work for me.

Try a hard reset. Hold down the power button and home button until you see the Apple logo. Once it boots back up, try MobileTerminal again.

That could be dangerous advice, as it assumes the user is logged in as root. If they are logged in as mobile, which is how Mobile Terminal defaulted for me, they would merely change the mobile user password.

To change between mobile and root users type

login root or login mobile


Change both passwords!



--
Mike

When I try to go to change the PW on 'mobile' I get the following:

login as: mobile
mobile@192.168.1.8's password:
Ricks-iPhone:~ mobile$ passwd
can't create lock file.
Ricks-iPhone:~ mobile$


I was able to login as 'root' and change the root PW.

Any ideas?

Thanks

well, here is a quick question...
If the only way someone can access your phone is through SSH, then you have to have OpenSSh up and running right? If it's off, then no one can access the phone. Correct me if I am wrong, but I don't see this as a huge problem at all. If you have OpenSSH running all the time, then i suggest changing the password. For everyone else, simply turn it off and make sure that your MAC or PC is up to date on all security software.

well, here is a quick question...
If the only way someone can access your phone is through SSH, then you have to have OpenSSh up and running right? If it's off, then no one can access the phone. Correct me if I am wrong, but I don't see this as a huge problem at all. If you have OpenSSH running all the time, then i suggest changing the password. For everyone else, simply turn it off and make sure that your MAC or PC is up to date on all security software.

Did you read the 1st page? lol, that was assumed back there.
Just messing with you :dft011:wicked_smile

well, here is a quick question...
If the only way someone can access your phone is through SSH, then you have to have OpenSSh up and running right? If it's off, then no one can access the phone. Correct me if I am wrong, but I don't see this as a huge problem at all. If you have OpenSSH running all the time, then i suggest changing the password. For everyone else, simply turn it off and make sure that your MAC or PC is up to date on all security software.

Don't worry, you'll forget soon enough and then you'll see what we are talking about. Just remember to turn it off after a reboot because it defaults on.

That is the very first thing I do when I reboot. I reboot through SBSettings, and as soon as the phone is back up, I open SBSettings and turn off SSH.
I have about 4 anal-retentive habits I perform with my iPhone.
1)always makes sure that the only things that are on are 3G, Edge, and Wifi. Everything else is off.
2) reboot every other morning when taking it off the charger, and then follow rule one before putting it in my pocket
3) charge whenever possible. Drain every other month to 20%
4) touch phone every 10-15 minutes....I love my phone.

4) touch phone every 10-15 minutes....I love my phone.

That's gonna make your iPhone pretty darned lonely, isn't it?

That's gonna make your iPhone pretty darned lonely, isn't it?
It's just a general rule when i am not using it.

Not using it? What's that?

Not using it? What's that?
well, I do have this period where I have to travel about 30 minutes south and sit in a building doing this thing called work. It's generally lasts about 9 hours, but I make sure that my phone gets lots of attention. That's why I bought a podium stand for it, so it can be in view/reach all day long.

Unfortunately, the signal strength here in the "basement" sucks big-time, so actually using the phone for anything requiring a data connection is almost out of the question.

well, I do have this period where I have to travel about 30 minutes south and sit in a building doing this thing called work. It's generally lasts about 9 hours, but I make sure that my phone gets lots of attention. That's why I bought a podium stand for it, so it can be in view/reach all day long.

Unfortunately, the signal strength here in the "basement" sucks big-time, so actually using the phone for anything requiring a data connection is almost out of the question.
No WiFi at work? My cell signal sucks at work as well, so I put my phone in airplane mode and use Ping and AIM with WiFi.

Is that why you threw it on the ground tonight in a spasm of rage? :dft012:wink

LOL!

You're so understated, that's not what happened at all...
I didn't throw it on the ground, I threw it at the security guard that tried to taze me right before I dove into my ride. :dft012:wink

That's not what my private investigator told me.

LOL! Sounds like a trailer for Kill Bill 3 or 4.

Tell your guy to back off, he's following me way too close. Don't make me come to DC and kick your ass. ;)

Just you try it, missy.