How to disable built in serial terminal on x86 to secure the router

Hello,
I just want to disable the terminal on my x86 openwrt router.
I have searched & tried different methods without success.
My Requirements

  1. How to enable ssh login prompt on x86 physical monitor.
  2. How to disable physical serial console completely on x86, no Kernel messages at all.

Here is the pic of my router, anyone who have physical access to this system can play with my router.
image

ssh is used for connections over networks, not the console.
have you set a root password ?

disable and no messages are who different things though, which one is it ?

1 Like

ssh is used for connections over networks, not the console.

i meant root login with password.

have you set a root password ?

yes, but it asks for password only if i access it from my local network over ssh. Not on pc where openwrt is installed.

Don't have access to a 22.03 box at the moment, look in the /etc/inittab, check if there's a line
similar to ttyMSM0::askfirst:/usr/libexec/login.sh, and comment it out.

1 Like

In the top (system) block of /etc/config/system, change ttylogin to 1 instead of 0. This will require a password on the serial port.

You can disable serial ports in the BIOS or unplug the hardware inside the case. GRUB may have a long delay if it remains configured to use serial but there are no ports on the bus.

Note that Linux was never intended to be very hard against someone who has physical access to the computer.

3 Likes

In the top (system) block of /etc/config/system, change ttylogin to 1 instead of 0. This will require a password on the serial port.

Didn't work
however i remember doing this by editing grub config file years ago in openwrt version 18, i tried that too but not working on 22.03.2

::sysinit:/etc/init.d/rcS S boot
::shutdown:/etc/init.d/rcS K shutdown
ttyS0::askfirst:/usr/libexec/login.sh
hvc0::askfirst:/usr/libexec/login.sh
#tty1::askfirst:/usr/libexec/login.sh

This worked. Login is disabled now. but kernel messages are still printing

Solved by removing serial commands & adding quiet in menuentry /boot/grub/grub.cfg

menuentry "OpenWrt" {
        linux /boot/vmlinuz root=PARTUUID=e17df3c5-02 rootwait noinitrd quiet
}

that's why you got the other links ...

Thanks for your help. :blush:

@frollic, what's the difference/purpose of those two lines:

ttyS0::askfirst:/usr/libexec/login.sh
tty1::askfirst:/usr/libexec/login.sh

What's ttyS0?

If my memory doesn't fail me, tty1 is console, ttyS0 is 1st serial port.

2 Likes

option ttylogin '1' in /etc/config/system

2 Likes

Already tested How to disable built in serial terminal on x86 to secure the router - #6 by Shahid

1 Like

Yup it is working now, there was a typo in my config.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.