User Tools

Site Tools


doc:howto:serial.console.password

Serial console password

OpenWRT serial console is not protected by default by a password. As a principle, networking hardware should never be accessible and should be locked-down to avoid attacks.

The orginal forum thread can be read here.

A support ticket was opened here.

Default behavior

After OpenWRT first boot, a password is defined by the user in order to protect SSH and luci HTTP(S) access. However access to the serial console is still available without password. Very few OpenWRT users are aware that their hardware is wide open, and you should be aware and find solutions.

Setting OpenWRT serial console password

A workaround is to nable login that is part of the busybox package:

CONFIG_BUSYBOX_CONFIG_LOGIN=y

You may need to recompile busybox.

Edit the file /etc/inittab and replace

::askconsole:/bin/ash --login

with

::askconsole:/bin/login

Recompile busybox if needed

You will need to recompile busybox because it does not include the line CONFIG_BUSYBOX_CONFIG_LOGIN by default into .config

Maybe will be helpfull https://wiki.openwrt.org/doc/howtobuild/single.package

Run make menuconfig and go to "Got to Base system —> busybox —> Login/Password Management Utilities —>" and tip the login checkbox as follows

[*] login

Exit and save the .config

Check the config into .config

CONFIG_BUSYBOX_CONFIG_LOGIN=y

To compile

make package/busybox/compile
make package/busybox/install

After a few minutes and voila 8-) you can get the <package-name>.ipk into directory

<build_dir>/bin/<arch>/packages/base/busybox_<version>.ipk

For exemple in my case

/home/user/openwrt/bin/ar71xx/packages/base/busybox_1.22.1-3_ar71xx.ipk

Disabling Linux single user mode

Single user mode is available through GRUB and allows to boot without password. An attacker is then able to change root password and reboot.

A solution would be to lock-down OpenWRT booloader process, to make sure that booting in linux single user mode is impossible. This has to be discussed and this is not yet documented.

Hardware attacks

You should know that hardware attacks on serial console pins are always possible. However, it requires time and skills.

doc/howto/serial.console.password.txt · Last modified: 2017/07/27 22:44 by flawioo