LUCI/ssh login best practice

Hi all,
I do not allow WAN access to LUCI.
I only ssh into the commandline locally (via root).

Should I care about logging into LUCI with root/password? (should I be logging into LUCI with another username and disable ssh root login?)


Assuming you're not running a memory-crippled device, run HTTP-S to at least protect the password.

I don't think you can do much more than that (other than removing LuCI) as I believe LuCI needs root privilege to do just about anything.

A non-privileged user and sudo is one way to disable root logins to ssh.

Provided you've disabled SSH password authentication, which should always be disabled, there's zero risk to allowing SSH access from WAN.

  • You will want to setup a port redirect for some arbitrary high port to LAN 22 if you're utilizing the default 22 port. This will prevent the system and kernel logs from being flooded with access attempts to WAN port 22.

  • Provided your router has >8MB of ROM, ditch dropbear for OpenSSH [wiki], as OpenSSH allows greater control over security.

Accessing LuCI over plain HTTP will send the root password as plaintext, and while the luci-ssl packages will generate a self-signed cert, this is the laziest and most insecure way of securing HTTPS, as it opens up the possiblity of a MITM attack.

  • While a MITM attack is unlikely on a LAN, the potential exists and will always remain... considering it's quite easy to generate a self-signed CA and use that self-signed CA to sign the SSL cert, there's no reason why this should not be the norm. Either way, you can utilize the OpenSSL Certificates wiki to generate the self-signed CA and signed SSL cert.

There's only a handful of use cases for non-root users to be able to SSH in to OpenWrt, as OpenWrt is a single user OS [i.e. root owns and runs almost everything], and due to this, 95% of commands require root privileges

  • It's analogous to doing a kernel boot with init=/bin/bash, or booting into single user mode, on a desktop OS
1 Like