Set root password to failsafe mode in custom firmware image

Hi everyone,

I would like to know if it's possible to set a password to the root user in failsafe mode when generating customized firmware images, this way we can be sure nobody can easily take a device, put it in failsafe mode, log in as root via SSH, reconfigure the password, mount the root and inspect the contents of the firmware, which in the case of firmwares generated for OpenWISP contain a secret token that is used by openwisp-config to automatically register the device in a specific organization.

Thanks in advance.

You should be able to configure the /etc/ files needed and build them into an image with the path/to/openwrt/files/ mechanism. See https://openwrt.org/docs/guide-developer/build-system/use-buildsystem#custom_files

When you encrypt the password, remember that OpenWrt doesn't support current password-encryption schemes

so the location of the file to edit is: /rom/etc/shadow right?

If that's the case it should just a matter of applying the mechanism we already use to install a custom root password so that the same file we prepare for /etc/shadow is generated for /rom/etc/shadow.

I'll try that and let you know , thanks!

Question: do I have to prepare both /etc/shadow and /rom/etc/shadow or is having just the latter enough?

Argh. It turns out what we were already doing is enough. Placing a custom /etc/shadow in files/ is enough.

Thank you and sorry for all the noise.

Edit: No noise! I wish more people were so careful with device security.

I believe that /etc/shadow should do it. It looks like /rom/etc/shadow is just a manifestation of the run-time mounts

$ mount
/dev/root on /rom type squashfs (ro,relatime)
[...]