New users on LibreElec

  • Hi,

    I love the simplicity of LibreElec and thus prefer it over a Kodi installation on Debian or OSMC.

    There is just one thing that drove me crazy today and cost me basically the whole day without success:

    I would like to be able to login via SSH with a non-root User Account that receives certain data by a cron job in the user folder, but does not have access to anything else.

    Thus, I adapted the SYSTEM-file based on HiassofT hint here: How to change files on Read-only file system

    • Created /home/administrator and populated ~/.ssh based on my prior home server
    • Adapted /etc/passwd, /usr/cache/shadow and /storage/.cache/shadow

    But no luck. SSH replies

    sshd[1207]: error: Could not get shadow information for administrator

    and is now not even able to login root anymore (neither with standard password nor with my custom one).

    Any idea how I could accomplish this or what I could be missing?

    Please find my Log here: ix.io :?:

    Many thanks

    DaC

  • LE is multi-user in the sense that there are some internal accounts/groups for OS services, but really everything intentionally runs as root and trying to change that based on an understanding of how a conventional distro works (hint: we are not a conventional distro) falls under the "pushing water uphill" category of efforts. I'd advise settling for root login with SSH key auth, which is as simple as pushing your private keys to the required places under /storage/.ssh/ and then enabling "disable password authentication" in LE settings.

  • Many thanks for the quick response.

    Highly appreciated.

    The fact that LE is not a conventional distro is exactly what I appreciate. Why? Because a stripped down system reduces the attack surface.

    Maybe a few words on my scenario:

    As a hobby I am running a homeserver based on a slightly hardened and stripped down RPiOS with several services (Bitwarden, Pihole, Lets Encrypt Bot, etc) all separated in individual docker containers. Unfortunately, there is no performant and up-to-date docker image for kodi without X. The only „service“ that actually runs natively is a cron job bash script that copies my Lets Encrypt certs into the user folder of an unpriviledged user.

    I have two other appliances that log in via SCP/SSH to grab them and install them locally. Thus, if they would be compromised they would not have root access to my homeserver (=> Zero Trust Principle). I also would like to avoid that if the homeserver is compromised, an Attacker would have credentials to both of the other appliances. Thus, I am not pushing the files over there.

    Would it make sense to deep dive on this use case or would you rather recommend me going for Kodi directly on RPiOS or OSMC (less stripped down and targeted but more flexible)? I thought this should not be as tricky but might have underestimated the amount of water to be pushed uphill..?

    Thanks

    DaC

  • If you are concerned about security and you want to run kodi then it might be best to think about running it on a completely separate system.

    Why? There are numerous issues in media decoders and kodi bundles an outdated ffmpeg version which might have various security issues. In addition to that media decoders like h264 and hevc run in kernel space and are likely to contain security relevant bugs, too. In that case a container won't help you much if you find a way to trigger a kernel bug via some (streamed) media file.

    As RPiOS is a bit slow with kernel updates it's also not the best choice if you are concerned about kernel security problems - distros following mainline kernel (eg Debian) will be a lot faster shipping security patches - but of course they won't contain the not-upstreamed media codecs so are not a good choice for Kodi on RPi.

    LibreELEC will be even worse as kernel updates are shipped as part of the system and can't be upgraded - and LE10 uses kernel 5.10 which is now on bare life support from RPi.

    And, there may be another practical argument for running RPi with kodi on a dedicated system: performance. RPi4 is pretty much at the limit with H264 1080p60 and HEVC 4kp50/60 decoding and output - containers running in the background might ruin your movie evening.

    so long,

    Hias

  • Thanks for your reply. That is indeed a fair point. And I am aware that I am trading off here. My Focus was so far the „basic homework“ of network (port), authentication and application security to the extend I can cover it as an Administrator. It is hard for me to consider kernel security and complex attack vectors such as via codecs as well. The plan is still to consolidate the appliances as much as possible to make all of this „living room ready“ (I hate shelfs stuffed with numerous hardware 😂). Will go for a proxmox virtualized setup with stronger Hardware maybe at some Point.

    Acknowledged your points, so I‘ll try and rather go for another platform than forcing another user into LE. Still Open for ideas on the „how“ rather than the „if at all“… 😊

    Many thanks

    DaC