OpenWrt Forum Archive

Topic: password on console (serial) access

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

is it possible to enable asking for password on console access ?? Today ssh asks passwords fine, but console access through the shell with no password at all.

is it possible to configure it to ask root password the same way as ssh ??

i'm running kamikaze build from trunk on a RouterBoard 450 .....

It can be done.
1. Include login in busybox setup (by default is disabled)
2. Replace the "ttyS0::askfirst:/bin/ash --login" with "ttyS0::askfirst:/bin/login" in /etc/inittab file. (you can change the inittab file in packages/base-files/files/etc or directly in RB after first boot)
3. Login using the same password with ssh.

(Last edited by Slammer on 11 Sep 2008, 02:00)

seems i have /bin/login being installed by base-files-ar71xx package. Anyway, i'll try that. Thanks for the tip !!!

use getty and login in busybox

In  /etc/inittab modify

#ttyS0::askfirst:/bin/ash --login
ttyS0::askfirst:/bin/login

note that on ar71xx based system the uci-default script inittab-console-fix up will modify the inittab causing issues.

the default script
@@[[
#!/bin/sh
#
# Copyright (C) 2011 OpenWrt.org
#

enable_console_login() {
        local cons=$1
        local initline="$cons::askfirst:/bin/ash --login"

        grep -qs "^$initline" /etc/inittab || {
                echo "$initline" >> /etc/inittab
                sync
                kill -HUP 1
        }
}

inittab_console_fixup() {
        for cons in ttyS0 ttyATH0; do
                grep -qs "console=$cons" /proc/cmdline && {
                        enable_console_login $cons
                }
        done
}

inittab_console_fixup

exit 0


]]@@

will append an /bin/ash --login no matter what you have added to inittab when building images.

so... this script should be edited to test for login and then add the correct inittab entry to protect the console

modify the script in target/linux/ar71xx/base-files/etc/uci-defaults/inittab-console-fixup to read as follows

@@[[
#!/bin/sh
#
# Copyright (C) 2011 OpenWrt.org
#

enable_console_login() {
        local cons=$1
        local initline
       
        if [ -e /bin/login ]; then
                initline="$cons::askfirst:/bin/login"
        else
                initline="$cons::askfirst:/bin/ash --login"
        fi

        grep -qs "^$initline" /etc/inittab || {
                echo "$initline" >> /etc/inittab
                sync
                kill -HUP 1
        }
}

inittab_console_fixup() {
        for cons in ttyS0 ttyATH0; do
                grep -qs "console=$cons" /proc/cmdline && {
                        enable_console_login $cons
                }
        done
}

inittab_console_fixup

exit 0

]]@@

(Last edited by lsoltero on 10 Jan 2013, 18:56)

use the login that is part of the busybox package.
CONFIG_BUSYBOX_CONFIG_LOGIN=y

vi /etc/inittab
replace
::askconsole:/bin/ash --login
to
::askconsole:/bin/login


all ok....

Think about Grub and the need to set-up a password.
Otherwize, it might be possible to boot in single user mode and modify root password.

leonardogyn wrote:

Today ssh asks passwords fine, but console access through the shell with no password at all.

AFAIK, the default settings for an OpenWRT firmware has no root password. Therefore, it is imperative to do a 1st login as root to change the default (non) password to something else. Once the root account it set with a new password, telnet will be disabled and access to shell is done through SSH with the new password.

OKay, I found the right page.

Why don't you include this after first connection.

It seems completely unreal to keep a console without password.

replace
::askconsole:/bin/ash --login
to
::askconsole:/bin/login

Now, can we secure Grub to disable single-user mode?

(Last edited by gnutella on 17 Aug 2015, 20:28)

It does not work;

Failed to executPlease press Enter to activate this console.

OK, busybox has to be recompiled.
Is /bin/login available in a package so we don't need to recompile.

What stops developers from offering busybox with password as default?
I think very few people are aware that their router is "WIDE OPEN" to any attacker.

Also, how can we stop people from booting in single user mode or accessing the bootloader password?
Is there a wiki page descibing those issues?

(Last edited by gnutella on 19 Aug 2015, 17:18)

Hello friends!

old topic..

but great problem serial access is wide open!

I need to put my routers em public places and have secret information inside.

how to protect serial console with a password?

using barrier breaker mr3020 and mr3220

sorry my bad english

thanks for any help

gnutella wrote:

I think very few people are aware that their router is "WIDE OPEN" to any attacker.

Unless it is a PC "opening" requires disassembling device and attaching to serial port.
I wouldn't call it "wide open"

This comes down to physical security, which is an ancient topic.  If an attacker has (uninterrupted) physical access to your system, large or small, your security policy has broken down.

Clemmitt

cmsigler wrote:

This comes down to physical security, which is an ancient topic.  If an attacker has (uninterrupted) physical access to your system, large or small, your security policy has broken down.

Clemmitt

hello friends!

I'm learn about compile from sources.. have many options in busybox like

sulogin

login / support for login scripts

etc.. dont find documentation about..

but dont have any way to password console serial access?

Hi,

gugaoforums wrote:

have many options in busybox like
sulogin
login / support for login scripts
etc.. dont find documentation about..

Please start a new thread if you need to ask more questions.  This is the wrong place to ask sad

https://downloads.openwrt.org/docs/buil … om_busybox

https://wiki.openwrt.org/doc/techref/ex … ybox_gplv2

https://busybox.net/FAQ.html#configure

https://busybox.net/BusyBox.html

The last man page link gives a list of all available applets but may not help you much in choosing.  I haven't configured busybox before so that's the best I can do to help.

Clemmitt

Thank you very much!

sorry for my bad english.

The discussion might have continued from here.