OpenWrt offers several ways to “start over” with your router.
- Failsafe Mode is useful if you have lost control of your device, and it has become inaccessible, perhaps through a configuration error. It allows you to reboot the router into a basic operating state, retaining all your packages and (most) settings. (see Failsafe Mode)
- Factory Reset erases all your packages and settings, returning the router to its initial state after installing OpenWrt. (see Factory Reset)
- Recovery Mode allows you to install new firmware on a router that has become corrupted. (see Recovery Mode)
Factory Reset depends on completing the boot process. If Factory Reset is not working, try with Failsafe Mode instead.
Failsafe Mode
Create the file pservice in the /etc/init.d/ directory of the OpenWRT router using WinSCP (of course alternatively the ssh terminal may be used), with the contents of this linked file. After saving, open the properties of the pservice file and set the access rights to 755. The patch for openssh looks good but please don't add it as a new package. Just add the openssh-server-pam package to the Makefile of openssh. And please update your checkout as openwrt. Public Key Authentication in OpenWRT using dropbear sshd. Apr 24 2013 April 24, 2013 Posted by jason at 1:37 pm security, Tutorial, Uncategorized Add comments. I’ve been using so many openwrt devices lately I wanted to setup my public ssh key on each device so I can auto login. Also, I can setup a really unfriendly password for the root. Community maintained packages for OpenWrt. Documentation for submitting pull requests is in CONTRIBUTING.md - openwrt/packages.
OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods,.
OpenWrt allows you to boot into a failsafe mode that overrides its current configuration. If your device becomes inaccessible, e.g. after a configuration error, then failsafe mode is there to help you out. When you reboot in failsafe mode, the device starts up in a basic operating state, with a few hard coded defaults, and you can begin to fix the problem manually.
Failsafe mode cannot, however, fix more deeply rooted problems like faulty hardware or a broken kernel. It is similar to a reset, however with failsafe, you can access your device and restore settings if desired, whereas a reset would just wipe everything.
Caveat: Failsafe mode is only available if you have installed firmware from a SquashFS image, that includes the required read-only root partition. To verify whether your device has the SquashFS root partition, check for “squashfs” either in the OpenWrt image name or perform the following check on your device:
The terminal should return something similar to this:
Entering failsafe mode
Make sure you use a wired connection, since the failsafe will disable your wireless connectivity. Sometimes you need to connect to a specific network port of your router to get connectivity. Try the LAN 1 port first.
On most routers, OpenWrt will blink an LED (usually “Power”) during the boot process after it gets control from the initial bootloader (like u-boot). OpenWrt will rather early in the boot cycle check if the user wants to enter the failsafe mode instead of a normal boot. It listens for a button press inside a specific two second window, which is indicated with LEDs and by transmitting a UDP packet.
To enter failsafe mode, follow one of the procedures listed below:
Recommended for most users: Wait for a flashing LED and press a button. This is usually the easiest method once you figure out the correct moment.
For most users and most devices, the LEDs now (2018) provide sufficient clues as to timing to be able to avoid older recommendations to “press the XXX button as fast as you can until …” for entering failsafe mode.
There are three different (power) LED blinking speeds during boot for most of the routers:
- A power-on sequence of lights that is specific to the device's bootloader
- Then a fast 5-per-second blinking rhythm during two seconds, while router waits for user to trigger the failsafe mode, typically by a button press
- A faster, 10-per-second blink if the user pressed a button and failsafe mode was triggered
- A slower, 2.5-per-second blink continuing to the end of boot, if the failsafe was not triggered and the normal boot continues
Alternate for expert users: Wait (with a packet sniffer) for a special broadcast packet and press a button. The packet will be sent to destination address 192.168.1.255 port UDP 4919. The packet contains the text “Please press button now to enter failsafe”. So for example, in a terminal and using tcpdump, with the router connected to port eth0, you would enter the command
Alternate for expert users with serial connection: Watch for a boot message on the serial console and press a key (“f”) on the serial keyboard. This requires that you have attached a serial cable to the device. The message shown in the console is “Press the [f] key and hit [enter] to enter failsafe mode”
Usually, it is easiest to watch the LEDs. However, do consult the available documentation for your device, as there is no default button assigned as a reset button and not all procedures work on every device. Whichever trigger you use, the device will enter failsafe mode and you can access the command line with SSH (always possible) or a serial keyboard.
Note that modern OpenWrt always uses SSH, but early OpenWrt releases (15.05 and before) offered a telnet connection in this state but no SSH.
Fixing your settings
Once failsafe mode is triggered, the router will boot with a network address of 192.168.1.1/24, usually on the eth0 network interface, with only essential services running. Using SSH or a serial connection, you can then mount the JFFS2 partition with the following command:
After that, you can start looking around and fix what’s broken. The JFFS2 partition will be mounted to /overlay, as under normal operation.
Factory Reset
Download fonts for microsoft word 2011 mac. A factory reset returns your router to the configuration it had just after flashing. This works on any install with a squashfs / overlayfs setup (the norm for most installations), since it is based on erasing and reformatting the overlayfs. Adobe creative suite free download for mac.
x86 builds (made for PC/Server hardware) with an ext4 read-write rootfs cannot be reset this way.
With a large NOR chip, it can take 3 to 5 minutes for the overlayfs to be formatted in the flash. During this time, changes cannot be saved.
Reset Button
On devices with a physical reset button, OpenWrt can be reset to default settings without serial or SSH access.
- Power on the device and wait for the status led to stop flashing (or go into failsafe mode, as described above).
- Release the reset button.
The device will do a hard factory reset (see below) and then reboot. This operation can be slow on some devices, so wait a few minutes before connecting again.
Soft Factory Reset
If you want a clean slate, there’s no need to flash again; just enter the following commands. Your device's settings will be reset to defaults like when OpenWrt was first installed.
Issuing “firstboot” or “jffs2reset” command will attempt to delete all files from the jffs2 overlay partition. Note that this “soft reset” is performed with file system actions, so in some cases it is not enough.
Openwrt Openssh Compile
Note: If the commands above (all on one line) don't work, try those commands on separate lines in the terminal.
Note: for most routers, “firstboot” actually just issues a “jffs2reset” command, so there is not much difference compared to the “hard reset” advice below.
Note: if you're issuing this command inside a bash script, remember to add the option -y to force firstboot:
Hard Factory Reset
This command will erase and reformat the whole JFFS2 partition and create it again. They key for a real “hard reset” is to unmount the overlay partition first and only then issue the jffs2reset (or firstboot) command:
While in most cases this is producing similar end-result as the “soft reset”, this marks the whole flash area of the JFFS2 (read-write) overlay partition as a empty non-initialised JFFS2 partition. Thus the partition will be re-created at the next mount, usually at the next boot. So, this hard reset bypasses the current file system of the overlay.
Explanation: based on the mount status of the overlay, jffs2reset selects either a file-based delete operation or a partition mark-it-empty action: https://git.openwrt.org/?p=project/fstools.git;a=blob;f=jffs2reset.c;h=dbe049881f5;hb=HEAD#l43
Another method to force F2FS reformatting if the above doesn't work:
File access through scp
It's possible to edit and transfer files from the Failsafe mode, by using scp command/protocol from Linux or Mac, or by using WinSCP from Windows.
If you transfer over a sysupgrade image, you can also do a commandline sysupgrade ( syupgrade -n /path/to/file ) as normal.
Recovery Mode
If neither Failsafe Mode nor Factory Reset returns control of your router, you can often replace the firmware of your device using one of the procedures described on the Recovery Mode page.
- Follow Dropbear key-based authentication to set up key-based authentication.
- Follow Secure your router's access for additional security hardening.
The SSH configuration is handled by the Dropbear subsystem of uci and the configuration file is located in /etc/config/dropbear.
Each dropbear SSH server instance uses a single section of the configuration file, and you can have multiple instances.
Sections
The dropbear configuration contains settings for the dropbear SSH server in a single section.
Dropbear
The dropbear section contains these settings. Names are case-sensitive.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
enable | boolean | no | 1 | Set to 0 to disable starting dropbear at system boot. |
verbose | boolean | no | 0 | Set to 1 to enable verbose output by the start script. |
BannerFile | string | no | (none) | Name of a file to be printed before the user has authenticated successfully. |
PasswordAuth | boolean | no | 1 | Set to 0 to disable authenticating with passwords. |
Port | integer | no | 22 | Port number to listen on. |
RootPasswordAuth | boolean | no | 1 | Set to 0 to disable authenticating as root with passwords. |
RootLogin | boolean | no | 1 | Set to 0 to disable SSH logins as root. |
GatewayPorts | boolean | no | 0 | Set to 1 to allow remote hosts to connect to forwarded ports. |
Interface | string | no | (none) | Tells dropbear to listen only on the specified interface. (e.g. lan, wan, wan6) |
rsakeyfile | file | no | (none) | Path to RSA file |
dsskeyfile | file | no | (none) | Path to DSS/DSA file |
SSHKeepAlive | integer | no | 300 | Keep Alive |
IdleTimeout | integer | no | 0 | Idle Timeout |
mdns | integer | no | 1 | Whether to annouce the service via mDNS |
MaxAuthTries | integer | no | 3 | Amount of times you can retry writing the password when logging in before the SSH server closes the connection from this commit |
Default configuration
Openssh For Windows
Extras
Multiple instances
Add a second instance of dropbear listening on port 2022.
Security considerations
- Set up public key authentication and disable password authentication if possible.
- Set up a VPN to avoid exposing SSH to the internet and as a single critical vulnerability may be enough for a remote attacker to gain root access.
Problems facing with a public SSH:
- No facility to ban IPs with many failed login attempts.
- File system permissions are very lax on default OpenWrt.
- Preventing normal users from exploiting BusyBox to gain access to root only commands due to missing permissions for symlinks.
References
Openssh Openwrt