How to separate the root webpage login password and root CLI login password

Hi,

Currently I'm using passwd command to change the root password but its reflecting on both the CLI and Webpage, but i want to set separate passwords for both the CLI and webpage but both should be in root login only.

Can anyone suggest how we can achieve it?

Messing around with user privileges on a system intended for single user only can be dangerous. Because you might overlook things by editing files.

Despite that you can restrict a new user/admin only on os level (e.g. with sudo or binding him to his own homedir only if giving ssh access) and on application level (e.g. samba, ssh).

To manage the router through LuCI the new user/admin would need the same rights as root has. That means another user/admin could try to exploit LuCI executing shell commands or just by installing vulnerable applications. The easiest way would be editing rc.local through LuCI. So you would need to restrict LuCI as well which is almost impossible because it is not made for multiuser enviroments. There are some threads about cutting out certain pages. But that coulb be reverted. So compiling your own firmware is mandantory if you want to cut out certain things from LuCI.

To answer your question:

Installing shadow-useradd and sudo should do the work. Useradd to add and configure a new user and sudo for restricting the user (via config). Don't forget to configure ssh also.

I'd suggest you use the certificate-based authentication for SSH (CLI) only and disable password authentication for it. A serious attacker may add their certificate for SSH login with WebUI, but that would prevent uneducated users from logging into SSH.

PS. If you want someone other than you to have access to a limited set of WebUI pages, maybe you'd want to investigate various luci multi-user apps which while exist, may not be compatible with the current js-based code.

2 Likes

I've talked a bit about this previously:

Open /etc/config/rpcd and look for this section:

config login
    option username 'root'
    option password '$p$root'
    list read '*'
    list write '*'

The $p$root password option means "use the root user's UNIX password", according to the ubus wiki page. Change this to something else and you change the LuCI password while the CLI password (as set by passwd) remains unchanged.

To avoid storing the LuCI password in plaintext, call uhttpd -m <password>[1] over SSH which produces an output that starts with $1$ and use that as the password option.


  1. OpenWrt does not store shell history so it's OK to enter the password as a command line argument in this case. ↩ī¸Ž

6 Likes

Thanks @elbertmai its working

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.