An update to Raspberry Pi OS Bullseye

Original post here.

One of the things which we spend a lot of time thinking about here at Raspberry Pi is security. Cyber-attacks and hacking are, sadly, constantly on the increase, and Raspberry Pi computers are as much a target as any other, just because there are so many of them out there nowadays!

Over the years, we have gradually ramped up the security of Raspberry Pi OS; not in response to particular threats, but more as a general precaution. There is always a balance to be struck, however, as security improvements usually carry a cost in terms of usability, and we have tried to keep the system as convenient to use as possible, while having an acceptable level of security.

Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place. But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.

So with this latest release, the default “pi” user is being removed, and instead you will create a user the first time you boot a newly-flashed Raspberry Pi OS image. This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point.

The new wizard

The Raspberry Pi setup wizard should be a familiar sight by now. It was introduced several years ago, and runs on the first boot, configuring international settings, connecting to wireless LAN and installing any software updates; it also prompts you to change the default password. But the wizard has always been optional – if you pressed “Cancel” on the first page, it just went away and you weren’t forced to use it.

From now on, working through the wizard is no longer optional, as this is how a user account is created; until you create a user account, you cannot log in to the desktop. So instead of running as an application in the desktop itself as before, the wizard now runs in a dedicated environment at first boot.

When you boot a new image, you will see the wizard environment. You cannot run any applications from here – the menu button and application launcher have been removed from the taskbar; all the taskbar now allows you to do is to adjust volume and pair Bluetooth devices.

The wizard itself is largely unchanged from before, with the key difference being that when you were previously prompted for a new password, you are now prompted for a user name and a password. (If you really want to, you can set these to “pi” and “raspberry” as before – you will get a warning message that doing so is unwise, but it is your choice – some software might require the “pi” user, so we aren’t being completely authoritarian about this. But we really would recommend choosing something else!)

The other settings which were available in the wizard are largely unchanged. The only other difference is that the page which allows you to apply compensation for monitors with overscan – a black border around the image – now has separate settings for both monitors if you have a second monitor connected, and changing the setting now takes effect immediately; previously the overscan setting only took effect on a reboot.

Once you get to the last page of the wizard and you press the “Restart” button, the system will reboot and the familiar Raspberry Pi Desktop will appear, logged in as the user you just created. And from here on, everything will work just as before.

If you are using the Raspberry Pi OS Lite image, which doesn’t have the wizard, you will still need to create a new user account. You will therefore be prompted to create an account by text prompts at the command line when you first boot a Lite image.

Headless setup

For people who run their Raspberry Pi headless and therefore cannot work through the wizard, the Raspberry Pi Imager tool allows you to preconfigure an image with a user account; when an image created like this is first booted, it will come straight up in the desktop, logged in as the user created in the Imager.

To preconfigure an image like this, when you have selected the source image and destination in Imager, click the “settings” button – the picture of a cogwheel – before clicking “Write”, and use the Advanced options menu to enter a username and password, along with any other preconfiguration you want.

Raspberry Pi OS

There are also mechanisms to preconfigure an image without using Imager. To set up a user on first boot and bypass the wizard completely, create a file called userconf or userconf.txt in the boot partition of the SD card; this is the part of the SD card which can be seen when it is mounted in a Windows or MacOS computer.

This file should contain a single line of text, consisting of username:encrypted- password – so your desired username, followed immediately by a colon, followed immediately by an encrypted representation of the password you want to use.

To generate the encrypted password, the easiest way is to use OpenSSL on a Raspberry Pi that is already running – open a terminal window and enter

echo 'mypassword' | openssl passwd -6 -stdin

This will produce what looks like a string of random characters, which is actually an encrypted version of the supplied password.

Existing installations

Some people, having read the above, may now be wondering whether they can rename the “pi” user on their existing images. As part of this update, we have included a mechanism to do that.

After updating as described below, make sure you are logged in as the “pi” user, and then open a terminal window and type

sudo rename-user

After a brief pause, you will be prompted to reboot, and the Raspberry Pi will then reboot into a cut-down version of the first-boot wizard which only allows you to change the user name and password.

Raspberry Pi OS

Once you have entered a new username and password, you will be prompted to restart, and your Raspberry Pi will reboot to the desktop, with your existing user (and your home directory) renamed, but no other changes.

One word of caution – most Raspberry Pi software (if it was written properly…) should handle having the home directory renamed and carry on working as before, but it is possible that some code may have been written with a hard-coded path to the /home/pi directory, and this will need to be modified in order to work correctly with the renamed user.

Also, please note that, due to the way the rename-user process involves temporarily creating and logging in as a different user, this process will not work over a VNC connection (which requires you to be logged in as a specific user); you will need to be a local user in order to rename the”pi” user.

The same rename-user command can also be used on a Lite image to rename the existing “pi” user; in this case it will run the same command-line prompts as are used to set up a user at first boot in the Lite image.

Bluetooth peripherals

While we were creating the new wizard, we decided to address a long-standing issue. If you want to use a Bluetooth keyboard or mouse with your Raspberry Pi, you have always needed to use a USB mouse and/or keyboard to initially pair the Bluetooth peripherals, which is a bit irritating.

That requirement has been removed in the new wizard. When it runs, the first page will prompt you to put any Bluetooth keyboard or mouse you wish to use into pairing mode, and then to wait. As long as you are on the first page of the wizard, the Raspberry Pi will now scan for pairable Bluetooth mice and keyboards, and will automatically pair the first of each which it finds. You will see messages pop up to indicate that a Bluetooth device has been found and is being paired – you may need to wait a few seconds after the final “connected” dialog appears for the newly-connected device to wake up and start being used by the system, but you can now set up a Raspberry Pi from scratch with just Bluetooth peripherals.

This works both with the built-in Bluetooth adapter on Raspberry Pi 3 and 4, and also with USB Bluetooth adapters on earlier models of Raspberry Pi – just make sure the USB adapter is inserted before the Raspberry Pi is booted.

One more thing…

Some of you may have heard of Wayland, a proposed replacement for the X Window System which has underpinned most Unix desktop environments for several decades now. Wayland has various advantages over X, notably security and performance, but it is still fairly new technology and hence still under development. A couple of Linux distros now run on top of Wayland, but it hasn’t yet been widely adopted – that said, it is looking as if Wayland is likely to be the future of desktop Linux.

When we released the Bullseye version of Raspberry Pi OS last year, we started using mutter as the default window manager instead of openbox, and one of the reasons for this was that mutter supports the Wayland protocols. In this release, we are making it possible to run the desktop on top of Wayland as an experimental configuration for people who are interested in trying it.

Before going any further, please note – we absolutely do not recommend most people run on top of Wayland yet! This is experimental code and there are many features which are not yet supported under Wayland. (To name a few – taking screenshots, the screen magnifier, any remote desktop application, the screen resolution setting tool; we hope to get some of these working in due course, but for now, they don’t.)

Also, this is not a pure Wayland implementation of the desktop. There are several features of X – notably communication between applications – which are not supported at all in Wayland, which is purely a graphics protocol. The desktop relies on some of these features of X, and so this version of the desktop is a sort of half-way house. The mutter window manager runs as a true Wayland application, but everything else runs under XWayland, which is basically an implementation of X which uses Wayland to draw the graphics. This means that some of the advantages of Wayland will not be available in this version of the desktop.

Nonetheless, after the use of mutter in the Bullseye release, this is another major step in the direction of Wayland, and people who are interested are welcome to try it. (But please don’t complain to us that some feature you depend on doesn’t work under Wayland – as above, we already know that a bunch of stuff doesn’t work, which is why we’ve warned you in advance!)

Switching to Wayland is easy. Launch the raspi-config application from a terminal window using

sudo raspi-config

and under the Advanced Options menu, just select the Wayland option – enable it, and reboot. You shouldn’t notice any obvious difference, but if you want to check if you are really running on Wayland, open a terminal and do

echo $XDG_SESSION_TYPE

Under X, this will return “x11”; under Wayland it will return “wayland”. If you want to go back to X, use the same option in raspi-config to disable Wayland. (Using Wayland shouldn’t change anything permanently on your system, but we do recommend taking a backup before you enable anything experimental like this, just in case.)

For now, Wayland is more something for the curious to play with than anything of interest to most users. But if you are curious, do have a play!

How do I get it?

The new image is available for download from the usual place: our Downloads page.

To update an existing image, use the usual terminal command:

sudo apt update
sudo apt full-upgrade

The rename-user script will automatically be installed on a desktop image when you update, but it will need to be manually installed on a Lite image, using:

sudo apt install userconf-pi

If you want to install the experimental Wayland support, you will also need to do:

sudo apt install rpi-wayland