Set password in new/custum or imagebuild firmware?

ray308 · April 17, 2021, 11:17am

Is it possible to set a default password in a custum or imagebuilder firmware?

I always adding some packages and a minimum of config files to a imagebuild. With the intension that if someone hit's the resetbutton it's going back to my own factory settings. But now it's without password.

braian87b · April 17, 2021, 7:16pm

try putting the /etc/shadow file with the password set on the image built. I think that it should work

but I think that it is safer to use a script like this:

/usr/bin/passwd root <<EOP
123456
123456
EOP

and you can put it on you image like this:

mkdir ./files/etc/uci-defaults/
cat <<'__EOF__' > ./files/etc/uci-defaults/99_default-password.sh
#!/bin/sh

[ "$(uci -q get system.@system[0].init)" = "" ] && exit 0
[ -e /etc/init ] && exit 0
touch /etc/init
uci batch <<EOC
    set system.@system[0].init='initiated'
    commit
EOC

/usr/bin/passwd root <<EOP
123456
123456
EOP
exit 0 # IMPORTANT, IF WE NO PUT THIS, WILL EXECUTED ENDLESSLY
__EOF__

you can find my sample for setting default password from label for Tp-link routers here, it uses same method: How to read TP-Link factory wireless pin from flash - art - #6 by braian87b

it is better if you add your ssh public key to the image, and also have a 2nd way to access it,
you can have two different dropbear configuration (one default that only allows you to enter with your ssh key and another in another port for emergency if you lost you ssh key)
if someone reset it again you can enter using your ssh key and remove the emergency dropbear entry, or set another random password, or if you cannot access you can instruct someone to reset and you can enter from LAN with default password. You may want to allow 2222 from wan on firewall to access remotely but it is better to have a vpn or remote access to lan, but overall 22 will only be secure to bruteforce password attacks but not so much for new 0-day exploits on dropbear.

cat<<'EOF' > /etc/config/dropbear
# public-key only (no password allowed) access
config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port '22'

# Normal dropbear/ssh access (for local LAN)
config dropbear
	option PasswordAuth 'on'
	option RootPasswordAuth 'on'
	option Port '2222'

EOF

ray308 · April 17, 2021, 8:39pm

that did the trick, thanks for your help.

system · April 27, 2021, 8:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.