Hi all,
I do not allow WAN access to LUCI.
I only ssh into the commandline locally (via root).
Should I care about logging into LUCI with root/password? (should I be logging into LUCI with another username and disable ssh root login?)
Hi all,
I do not allow WAN access to LUCI.
I only ssh into the commandline locally (via root).
Should I care about logging into LUCI with root/password? (should I be logging into LUCI with another username and disable ssh root login?)
Yes.
Assuming you're not running a memory-crippled device, run HTTP-S to at least protect the password.
I don't think you can do much more than that (other than removing LuCI) as I believe LuCI needs root privilege to do just about anything.
A non-privileged user and sudo
is one way to disable root logins to ssh.
Provided you've disabled SSH password authentication, which should always be disabled, there's zero risk to allowing SSH access from WAN.
Accessing LuCI over plain HTTP will send the root password as plaintext, and while the luci-ssl
packages will generate a self-signed cert, this is the laziest and most insecure way of securing HTTPS, as it opens up the possiblity of a MITM attack.
There's only a handful of use cases for non-root users to be able to SSH in to OpenWrt, as OpenWrt is a single user OS [i.e. root owns and runs almost everything], and due to this, 95% of commands require root privileges
init=/bin/bash
, or booting into single user mode, on a desktop OS