OpenWrt 24.10.x rpcd HTTP JSON-RPC session.login — non-root users always Permission Denied

FranekK · January 21, 2026, 2:35am

I’m trying to use the OpenWrt RPC HTTP API (/ubus) on OpenWrt 24.10.4 to authenticate a non-root user, but session.login always fails.

Here are the facts:

• I created a normal user “ha” in /etc/passwd
• I set a SHA-512 password in /etc/shadow
• I added the user to the ubus group
• I created /etc/rpcd/acl.d/ha.json with read/write permissions:

{
"ha": {
"description": "Home Assistant integration",
"read": {
"iwinfo": ["assoclist"],
"network.interface": ["dump"],
"dhcp": ["ipv4leases"]
},
"write": {
"session": ["login"]
}
}
}

• rpcd was restarted
• ubus call session login with root works fine
• ubus call session login with user “ha” always returns:

{"jsonrpc":"2.0","id":1,"result":[6]}

I’ve verified:
– /etc/passwd entry uses x (no hash)
– /etc/shadow contains SHA-512 hash for ha
– ha is in ubus group (and even in root group)
– uhttpd /ubus_prefix is correct
– uhttpd-mod-ubus, rpcd, rpcd-mod-iwinfo are installed

Yet session.login still fails (Permission denied).
Is this by design? Are non-root users supported for RPC login in 24.10.x?
If not, what’s the recommended secure pattern for services (e.g., Home Assistant) to authenticate and call JSON-RPC without using root credentials?

Thanks!

lumilumi · January 21, 2026, 3:14am

i'm a bit new here, hopefully this is on topic

but this one says it might be to do with an invalid auth token of some kind

or perhaps this may have some info as well:

github.com/openwrt/luci

docs/JsonRpcHowTo.md

master

# HowTo: Using the JSON-RPC API

See [online wiki](https://github.com/openwrt/luci/wiki/JsonRpcHowTo) for latest version.

LuCI provides some of its libraries to external applications through a [JSON-RPC](https://en.wikipedia.org/wiki/JSON-RPC) API.
This Howto shows how to use it and provides information about available functions.

See also 
* wiki [rpcd](https://openwrt.org/docs/techref/rpcd)
* wiki [ubus](https://openwrt.org/docs/techref/ubus)

## Basics
To enable the API, install the following package and restart `uhttpd`:

```bash
opkg install luci-mod-rpc luci-lib-ipkg luci-compat
/etc/init.d/uhttpd restart
```

LuCI comes with an efficient JSON De-/Encoder together with a JSON-RPC-Server which implements the JSON-RPC 1.0 and 2.0 (partly) specifications.

This file has been truncated. show original

FranekK · January 22, 2026, 4:30am

Thanks for the link but to my understanding this is about something different... LuCI RPC subsystem, not the ubus RPC I'm looking for the Home Assistant integration.

Anyway I tried.. and situation is the same.. works with the root (not much expected), but does not with any other non-root account. Any idea what could be the problem?

lantis1008 · January 22, 2026, 12:07pm

You’ve not added the new user to the /etc/config/rpcd

FranekK · January 30, 2026, 11:50pm

To conclude and close this thread.

Potentially is possible to create and use RPC user only (I would need another router to try) but I’ve finished with the configuration where I have dedicated account created on the router, no SSH, UI signing, but RPC only (identification using username/pwd, later token) with ‘/etc/config/rpcd’ and ‘/usr/share/rpcd/acl.d/AccountName.json’ to limit the readonly access (from HomeAssistant I’m checking if to the wifi connected are some clients).

Thanks for your feedbacks, ideas.