Headless setup in Raspberry Pi OS Lite bullseye fails: Permission denied

A surprise is expecting users of the Raspberry Pi who will try to install Raspberry Pi OS Lite of Release date: April 4th 2022, Debian version: 11 (bullseye) for a Headless setup, such as those of us who are working in the IoT control and automation universe. Although until now, the process for running a headless system, which means a system without monitor and keyboard was widely known to the raspberry Pi community, starting from the bullseye version of the OS, things have changed.

Just a note in the Release Notes indicates that Default “pi” user has been removed . The intention has to do with enhancing the safety and security of the system, since the name of the pi user will no longer be taken for granted.

Only after several hours of frustration with a newly burnt SD card with bullseye failing to allow remote login via ssh with error Permission denied , I finally located this article which explains the situation.

Although the article provides some steps to remedy the situation, unfortunately does not consider at all the development environment of the community who works entirely “headless” and it does not provide a simple and quick solution. I expressed my feelings commenting on the page of the above article, but the purpose of this posting is entirely to provide such a simple solution without going through such complaints and arguments.

Now that the pi user does not exist, we must inform the Raspberry Pi about the name of a user and the password of this user. Create a file called userconf or userconf.txt in the /boot partition of the SD card with one single line (no linefeed at the end) with the following content.

 newuser:$6$DDAc06HDo9lQufr4$650WAMQfti/nChvgDJKVYdY2fb8gnH6XY50hIYoKKhdn14.RG9LkkDlWM0oNNnuJwaptzJsckYIqu.oi3J3ay/

You can replace the name of the user from newuser to whatever you like. The : is the separator of the user name and the password.

Now, remote login as usual:

$ ssh newuser@192.168.1.145
newuser@192.168.1.145's password: 

The password is raspberry and the long string above is the sha512 hashed form. Please remember to change the password after your first login.

Does this posting create a security gap by publishing the encrypted form of the raspberry text? No, because the hash creation algorithm openssl passwd -6 is using a random seed, if run without the `-seed` option, therefore there is an enormous amount of hashed encoded forms that will respond positively to the raspberry password. The text above is just one of those encoded forms.

Please note that you may also still need to create the empty ssh file in partition /boot, as was done in previous OS versions. I have not tested what happens in a clean installation because I have made several attempts with the said ssh file, so I cannot really tell if remote login via ssh is already enabled in the Lite version. Since you will be messing with /boot, just create the empty ssh file and it may save you some time.

We could have millions of conversation lines arguing about the increased security achieved by removing the pi user. I will not do that at the present time, because I think that it is more essential to make this information public and save our colleagues time and frustration. But, it is obvious that the Raspberry Pi development team did a very poor job in properly providing the information of such a change.