Chage is not working: openwrt 19.07

Hi,

I want to manage the password expiry for users in Openwrt. I installed 'chage' but even after expiry date of account, its doing nothing user is able to login and no message pop up ( like change the password or warning).
Does this not work in openwrt or there is way to have this feature.

Thanks in advance!!!

Did you check /etc/passwd or /etc/shadow after your modification? Chage is giving an exit value. Did you get any value? Did you check "chage -l username" after making your modifications?
It might be that there are things (scripts/programs/daemons) missing on OpenWrt for using this feature. An alternative would be "passwd -e username".

1 Like

Hi,

Thanks for Replying!!
Yes i checked "chage -l 'username'" values are changing but there is no effect of password expiry/account expiry.
passwd doesnt has '-e' switch.
by the way their is this login.defs . can this help in this..and how can i use it ( or enable it)

Well, here you can see that programs on OpenWrt are limited because things are stripped to minimum to save space on flash rom.

I don't know if it is working on OpenWrt. Just try it.
https://www.thegeekdiary.com/understanding-etclogin-defs-file/

I have "/etc/login.defs" file already in my openwrt. But i dont know how to enable it or do i need to start some daemon

I think you need additional software to get things working. OpenWrt does not even have the default usermanagement utilities like usermod, groupadd, sudo, etc. It is not designed as a multiuser system. Beside that I don't even understand why you want to have this on a router.

I would have done this with a cronjob running ever 90 days with "passwd -e username". But this command is not available. Maybe there is a full version of passwd or a less stripped busybox version available. But to use this you would have to make your own build.

Alternatively just install/use keyfiles. Then you can use keyfiles with password protection. You could then rotate the password for the keyfiles with a script on client machines putting the script into a cronjob running every 90 days.

1 Like

Hi Pwned,

Well, I understand that openwrt comes with limited feature to save storage. I have my own custom build openwrt.
I do have all - usermode,groupmod,sudo,su,useradd etc.
And the reason i wan user management because admin will not login always, a non privilege user with some sudo addon will access the router and admin (me) want to set.
I was wondering there would be something for password aging control and password quality check.

The only thing I would try is to activate PAM in Busybox settings as you are doing your own builds. It might be that pam module takes care about settings.

For security use keyfiles. That is state of the art if it comes to securing important devices. Nobody is using passwords for this nowdays.

Thanks Pwned!! :slight_smile:
Ok, Can you guide me to implement this keyfile based authentication. I think this will be better and as you said now a days this method is being used.
Please share some pointer to start or a manual if you have.

Thanks In adavance!!!

https://openwrt.org/docs/guide-user/security/dropbear.public-key.auth

2 Likes

Try to research the www about ssh in general to understand the key handling. Key management is not trivial if you have a bunch of users to manage. That said try to maintain a database with public keys connected to their servers. With a few scripts you could rotate/sync the keys and passwords accross clients and servers. There are commercial solutions like Ansible also. But that is targeting to bigger projects.