Hi all, The following patch is a much better implementation of the previous patch for requiring login even on hardware console.
As per discussion on list, this patch would become the default behaviour for all images, but does have an opt-out which can be set at image generation time or in the overlayfs. This version of patch doesn't use getty because I realized using getty for login is not needed on openwrt because of askfirst/askconsole which setup the console for the login command (on standard distros getty is required because the terminal(s) are not active unless getty activates them; this is not an issue for openwrt). So askfirst or askconsole (depending on platform) are used to setup the console. Once the user presses enter /sbin/login_wrapper is invoked which checks for the presence of /lib/preinit/zz_passwordless_console. If that file exists /bin/ash --login (current behavior) is exec'd and you get passwordless root access. If the file does not exist (or is not readable) then /bin/login is exec'd and the user is prompted for a password. With a default install of openwrt with no previous configuration you can enter user root and the use an empty password (just ENTER) as default for stock openwrt has no password for root. If the image creator embedded a default password for root, then that password would be required at this point. In any event, unless passwordless console has been flagged, once a root password has been set it will be required to login to the hardware/serial console. This behaviour also applies to failsafe mode as previous work, probably for the dropbear failsafe access, has enabled pulling in current configuration for failsafe mode. If it is considered undesirable to have the runtime option of disabling the requirement for password, then the check for /lib/preinit/zz_passwordless_console could be modified to check for the existence of /rom (which indicates a squashfs) and check for /rom/lib/preinit/zz_passwordless_console when it exists, instead of allowing for a writable setting (/rom is the readonly squashfs that is embedded in the flash). Enjoy! Daniel [PATCH] base-files image: Require login even on console (including _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel