nemesis
November 19, 2018, 3:11pm
1
Hi everyone,
I would like to know if it's possible to set a password to the root user in failsafe mode when generating customized firmware images, this way we can be sure nobody can easily take a device, put it in failsafe mode, log in as root via SSH, reconfigure the password, mount the root and inspect the contents of the firmware, which in the case of firmwares generated for OpenWISP contain a secret token that is used by openwisp-config to automatically register the device in a specific organization .
Thanks in advance.
jeff
November 19, 2018, 3:17pm
2
You should be able to configure the /etc/
files needed and build them into an image with the path/to/openwrt/files/
mechanism. See https://openwrt.org/docs/guide-developer/build-system/use-buildsystem#custom_files
When you encrypt the password, remember that OpenWrt doesn't support current password-encryption schemes
NB: Behavior may have changed since 2018 - Please read remainder of thread
While this has been suggested by some as in improvement in security, it appears to actually significantly reduce security as the salt and hash is not saved in its entirety in /etc/shadow.
Even with adding
CONFIG_BUSYBOX_CONFIG_SHA512SUM=y
CONFIG_BUSYBOX_CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="sha512"
the entire salt and hash is not saved in /etc/shadow
MD5:
$1$tQp3Abnw$xXJ0GXdIyirluUOHLku9/.
SHA256:
$53zwFqmYUjxY
SHA…
1 Like
nemesis
November 20, 2018, 9:24am
3
so the location of the file to edit is: /rom/etc/shadow
right?
If that's the case it should just a matter of applying the mechanism we already use to install a custom root password so that the same file we prepare for /etc/shadow
is generated for /rom/etc/shadow
.
I'll try that and let you know , thanks!
nemesis
November 20, 2018, 12:05pm
4
Question: do I have to prepare both /etc/shadow
and /rom/etc/shadow
or is having just the latter enough?
nemesis
November 20, 2018, 3:11pm
5
Argh. It turns out what we were already doing is enough. Placing a custom /etc/shadow
in files/
is enough.
Thank you and sorry for all the noise.
1 Like
jeff
November 20, 2018, 3:12pm
6
Edit: No noise! I wish more people were so careful with device security.
I believe that /etc/shadow
should do it. It looks like /rom/etc/shadow
is just a manifestation of the run-time mounts
$ mount
/dev/root on /rom type squashfs (ro,relatime)
[...]
1 Like