Set password SSH

Hey guys,

I am trying to put together a firmware, and i would like to change the default ssh password to something else then blank.. Whats the best way to do this ..?

Thanks in advance :wink:

Deploy your SSH key, disable password authentication.

If you need them available at first boot, under failsafe, or after reset to default, create the appropriate password and, if needed, group files and build them into the ROM with either the image builder or build system. Be careful as the password hashes under OpenWrt are limited.

1 Like

I would like them available at first boot etc, because i am making a default image to deploy to multiple units. What files do i need to add to my rom to set the password ..?

Password hashes are stored in /etc/shadow. You could copy root's line from a running openwrt device.

1 Like

info for that, dropbear ssh keys would be different

One thing to be careful with is dates, especially if you rely on OpenSSH. The default “0” password-change time of the “stock” files installed on the ROM is not acceptable to OpenSSH. When the system boots in failsafe, its time is based on the build time of the image. I don’t know how OpenSSH would treat a password-change date in the future. As long as the clocks of your OpenWrt that you used to change the password and that of your build box are “sane”, then it shouldn’t be an issue. (The build happens after the time that OpenWrt thinks you changed the password.)

one option for many devices is a phone home init script

failsafe embedding would require work as would safety checks ... tftp and local hash check would satisy me.

this would allow for "on the fly" changes without the need to rebuild

While possible, this approach requires quite some attention when upgrading the base firmware, as newly introduced systems users might result in passwd and shadow losing sync over time.

Right, setting the root hash in a uci-defaults script is probably better.

Right, setting the root hash in a uci-defaults script is probably better.

I am not very familiar with UCI yet, i am looking into this. What would be the correct way to set the root hash using uci-defaults script .

passwd "${USER_NAME}" << EOI

Scripts in /etc/uci-defaults/are just (shell) scripts that get run at startup until the succeed and are then deleted. Remember that nothing is ever deleted from a ROM, so this approach would leave the password readable, in plain text, under /rom/.

1 Like

What are the security implications here though? You need to know the password to access /rom anyway. Physically opening the router and reading the spi flash directly maybe?