Unable to logon via Luci, able via ssh

Background: I had an issue that Luci wasn't working anymore. It seemed that /etc/config/uhttpd was empty. Cause: unknown. I copied the default content into the file and saved it.

Luci is now working again but I am not able to login via Luci. I am able to logon via ssh.
Does anyone have an idea what the issue is?

What does "I am not able to login" exactly mean? Can you teach the login page? Does it reject the password?

I do get the “authorization required” login screen, but when I try to login I get “Invalid username and/or password! Please try again.”. I am using 18.06.01 r7258. Via ssh I can log on with exactly the same password.

reset root password to current password.
Issue: passwd and type your current password twice; Once done, issue /etc/init.d/uhttpd restart

  • I'm not sure what causes this behavior, just that I had it happen to me a few weeks ago and the above fixed the issue.

  • If the above does not work, ensure the permissions of /etc/shadow are 644 and owned by root

EDIT

After some testing [18.06.1 4.14.79_2018.11.08 | r7373-2e54de4e54], it appears the culprit is likely a corrupted /etc/shadow file

  • Did you by chance manually edit the shadow file?

Either way, I'd recommend copying the default shadow file from ROM:
rm /etc/shadow && cp /overlay/upper/etc/shadow /etc && passwd

Thanks, but I got an error message, something that it couldn't find it. I can't state it here exactly as I now can't access the router via ssh anymore.

Edit: In Luci I get a warning that I have to set a password but I can't logon without a password. And my original password isn't accepted either.

You got an error message on the copy command? My understanding was /etc/shadow was a a default file included on the ROM image.

  • I'm assuming you didn't configure SSH to utilize PKI keys, and instead only the root password?
    • Just a general FYI, root should never be allowed to login via SSH with a password, and the very first step once logged in via SSH should be to generate a SSH key and copy over it's public key output to /etc/dropbear/authorized_keys [DropBear] or ~/.ssh/authorized_keys [OpenSSH].

This indicates /etc/shadow may indeed not be included in the ROM image, which is my mistake as I should have verified if my assumption was correct or not before advising you to remove and copy. I'd first try rebooting the router to see if OpenWrt will auto-generate an /etc/shadow file if not is detected, else FailSafe Mode will be the only recourse if you don't have serial access

  • Just another general FYI, I always recommend all users, prior to flashing third party firmware, obtain a USB-TTL cable or USB-to-UART to allow them to connect to the router for instances like this, as well as for troubleshooting boot issues if they arise.

The reason why LuCI states there's no password set, but is refusing to allow you to login, is because /etc/shadow is missing. At this point, you'll need to enter FailSafe Mode. Once you mount the root filesystem, issue the following:

echo 'root:$6yW4NzrSbN6w:17857:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
sshd:x:0:0:99999:7:::' > /etc/shadow
chmod 644 /etc/shadow && passwd
  • The above has no password set, but will not warn you that one is not set since I set the above output's password to nothing for the root account.
1 Like

A more likely cause is that rpcd isn't running which prevents LuCI from opening a session.

Thank you. After using my TP-Link Archer C2600 back-up router for the past couple of weeks, I am now able to rescue my R7800. Do I have to enter after each line or only after "...shadow" and "...passwrd"?

I'm not able to login to Luci too, and able via ssh (both key and password), and /etc/shadow looks correct here. The log just says
Wed Jan 9 13:42:26 2019 daemon.err uhttpd[3907]: luci: failed login on / for root from 192.168.116.175
What's wrong with it?

For those who bump into this thread with login issues, a summary:
Some ppl can't log in even though they know the password is correct. Broadly I see two situations:

  • they get a password incorrect - this might be due to RPCD config or shadow permissions
  • they get nothing (the page just reloads. If they give a WRONG password, they get the password incorrect message) This seems cookie related

Here are some solutions to try.

RPCD

Might be a rpcd issue. Check if /etc/config/rpcd has this:

config login
        option username 'root'
        option password '$p$root'
        list read '*'
        list write '*'

If not, edit, restart rcpd with /etc/init.d/rpcd restart

shadow

Make sure /etc/shadow has the right permissions: chmod 644 /etc/shadow

re-set the password

Change (or re-enter) your pw with passwd then restart uhttpd with /etc/init.d/uhttpd restart

uhttpd config

The thread starter had an empty /etc/config/uhttpd - and copied it over from default, then had to fix shadow:
rm /etc/shadow && cp /overlay/upper/etc/shadow /etc && passwd
Note the discussion, though, this conversation isn't over yet it seems.

Cookies

Delete cookies from the domain. Be thorough - my cookie deletion tool in Chrome claims there are no cookies, but when I look into the cookie store I can still find them with a search on the router IP address and have to manually remove them. THEN login works again.

If you tried it all and no success - I guess you'll have to ask here or create a new conversation :wink:

Good luck!

4 Likes

Thanks!

I had the same issue with WNDR3700

In my case I found /etc/shadow- file, but no /etc/shadow at all.

I did

  • soft-reset
  • then rm /etc/shadow && cp /overlay/upper/etc/shadow
  • then passwd
  • then /etc/init.d/uhttpd restart
1 Like

Applying shadow permissions and opening lan address in new container tab [cookies] was the solve for me

(having flashed vanilla openwrt to GL-B1300, subsequently changing lan address)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.