A surprise is expecting users of the Raspberry Pi who will try to install Raspberry Pi OS Lite of Release date: April 4th 2022, Debian version: 11 (bullseye) for a Headless setup. Although until now, the process for running a headless system, which means a system without monitor and keyboard was widely known to the raspberry Pi community, starting from the bullseye version of the OS, things have changed.

Just a note in the Release Notes indicates that the widely known pi user seizes to exist, in order to enhance the safety and security of the system.

Only after several hours of frustration with a newly burnt SD card with bullseye failing to allow remote login via ssh with error Permission denied , I finally located this article which explains the situation.

Although the article provides some steps to remedy the situation, unfortunately does not consider at all the development environment of the community who works entirely “headless” and it does not provide a simple and quick solution. I expressed my feelings commenting on the page of the above article, but the purpose of this posting is entirely to provide such a simple solution.

Now that the pi user does not exist, we must inform the Raspberry Pi about the name of a user and the password of this user. Create a file called ‘userconf’ or ‘userconf.txt’ in the boot partition of the SD card with one single line (no linefeed at the end) with the following content and use ‘raspberry’ as password for your first login of user ‘newuser’.

 newuser:$6$DDAc06HDo9lQufr4$650WAMQfti/nChvgDJKVYdY2fb8gnH6XY50hIYoKKhdn14.RG9LkkDlWM0oNNnuJwaptzJsckYIqu.oi3J3ay/

You can replace the name of the user from newuser to whatever you like.

Now, remote login as usual:

$ ssh newuser@192.168.1.145
newuser@192.168.1.145's password: 

The password of the user is raspberry. Please remember to change it after your first login.

Does this posting create a security gap by publishing the encrypted form of the raspberry text? No, because the hash creation algorithm openssl passwd -6 is using a random seed, if run without the `-seed` option, therefore there is an enormous amount of hashed encoded forms that will respond positively to the raspberry password. The text above is just one of those encoded forms.

Please note that you may also still need to create the empty ssh file in partition /boot, as was done in previous OS versions. I have not tested what happens in a clean installation because I have made several attempts with the said ssh file, so I cannot really tell if remote login via ssh is already enabled in the Lite version. Since you will be messing with /boot, just create the empty ssh file and it may save you some time.

We could have millions of conversation lines arguing about the increased security achieved by removing the pi user. I will not do that at the present time, because I think that it is more essential to make this information public and save our colleagues time and frustration.