I am looking for a simple small httpd solution on OpenWRT which is easy to setup with OpenWRT configs or Luci, which allows code execution via script. I was thinking using php but that would be overkill, what would be a better solution for this, so I can send commands like:
and then have a small script which can execute a script on the server.
Can I do this maybe already with the local httpd service of OpenWRT without installing anything new? how would this work without php, or what would be the best solution for this to use as little as space and ram as possible with smallest amount of packages you need to install.
The default http server (uhttpd) supports this. You can either place your scripts in /www/cgi-bin/ to execute them as CGI scripts or map specific locations or extensions to custom scripts, see the annotated config here:
Depending on the complexity of your requirements you can implement your cgi script in plain shell, utilizing a tool like haserl or install php-cgi and run traditional php code.
I think @mfka8 means that all non-local HTTP requests will be tunneled through a Wireguard VPN connection, so the plaintext passwords in the curl commands are safe.
Still, I agree using SSH here is more secure and easier because you can set up public key authentication. And invoking a script on the device itself is as easy as:
And how would I enter the password and fingerprint automatically? I cant find an option which allows to do ssh root:password@ip "script". also the entire process takes way longer it seems. obviously it needs to be automated in a bash script also with no output.
This suggest you need a 3rd party tool for that called sshpass which seems not to be available for OpenWRT:
On the client machine (presumably using OpenSSH), generate SSH keys.
ssh-keygen -t ed25519
This generates a public/secret key pair. Copy the public key to the OpenWrt device. NEVER SHARE THE SECRET KEY!
ssh-copy-id root@<OpenWrt host>
Enter your password when prompted. After this, subsequent ssh connections from the client machine should work "automatically" without needing to enter a password every time.
This is because SSH does a full cryptographic handshake every time you connect. If you need to do a bunch of commands in sequence and the client is using OpenSSH, you can use SSH multiplexing. You can either configure this in the .ssh/config file or do this manually:
Set up the control master SSH connection.
ssh -f -N -M -S <path-to-socket> root@OpenWrt
Subsequent connections can be made through this connection, which will start much faster.
The <path-to-socket> argument can be any location in the file system. This "file" is not actually a file on disk, but a Unix domain socket. This is usually something like ~/.ssh/mux-%r@%h:%p to ensure multiple control master connections are kept separate.
That is not what I asked. I asked how to use password with ssh command on OpenWRT like you suggested as "easy" solution. Obviously it is not. And your "easy" solution is way more annoying to use. So it is not really an option and rpc and curl is what I will use.
Sure, if you don't include the whole Wireguard tunnel and IP addressing setup necessary to ensure your curl requests aren't sent in plaintext. If you are prepared to set up Wireguard keys, you can set up SSH keys. The developer that made Wireguard even said as much in the whitepaper:
For key distribution, WireGuard draws inspiration from OpenSSH, for which common uses include a very simple approach toward key management.
And my answer had two components to it: the "public key" setup and the "control master" setup. They are orthogonal components, they can be used independently from each other.
If you insist on using passwords, you can still use the "control master" setup. In step 1, you will be ask for the password. But steps 2 and 3 will use that same control master connection and will not ask for the password again.
That's fine, I answered simply to present some alternative solutions for your consideration. Fortunately for you, OpenWrt's built-in HTTP server should serve your needs, as pointed out earlier.
Because people can administer OpenWrt devices with non-OpenWrt machines? Are LuCI questions off-topic because my PC isn't running OpenWrt when accessing LuCI through a web browser? What kind of question is this?
Yes it does, I'm using ed25519 right now with all my OpenWrt devices. It has been supported since at least version 22.03.
It's not needed per se, but provides an additional layer of security. Also SSH can work without Wireguard by itself. This is not a dig at Wireguard (I use it all the time myself!), but I present SSH as a solution because it's the de facto administration interface for headless devices like those running OpenWrt.
So can SSH keys through LuCI→System→Administration→SSH-Keys tab.
Look, since you've already decided to use curl/rpc, I won't comment any further on the SSH solution. Since you're using Wireguard with it, I can't complain.
I'm not going to waste my time writing a tutorial for someone who is already committed to not using SSH. Especially not for a Dropbear version that old. Thank you for taking the time to respond promptly and for your consideration.
xg-135r3 in ~ # opkg info sshpass
Package: sshpass
Version: 1.09-1
Depends: libc
Status: unknown ok not-installed
Section: utils
Architecture: x86_64
Size: 5582
Filename: sshpass_1.09-1_x86_64.ipk
Description: Sshpass is a tool for non-interactively performing password authentication
with SSH's so-called "interactive keyboard password authentication". Most user
should use SSH's more secure public-key authentication instead.
