How can I write a new MOD_HTTP_PASSWORD into /var/mod/etc/conf/mod.cfg?

[fraternl]

The variable MOD_HTTPD_PASSWD is a hashed password for the Freetz interface which resides in /var/mod/etc/conf/mod.cfg
This password is hashed and I have no idea how.

I would like to create a new password into that file instead of "freetz"
I don't want to keep that password for a production box.
I will change it manually later on.
But I also don't want it left at "freetz" in case I forgot to change it.

In case the password is never configured before I want to write the password to it that's on the back of the fritzbox.
I can find that password here:

#
BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`
#

But before I can replace the password I need it hashed.

Can you help me with that?

[PeterPawn]

Try this to reproduce the password stored in MOD_HTTPD_PASSWD:

vidar:~ # openssl passwd -1 -salt "" freetz
$1$$zO6d3zi9DefdWLMB.OHaO.
vidar:~ #

Replace freetz with your own value ... but please try to simplify your command to get the BACKPASS value a bit, e.g. use this one:
https://github.com/PeterPawn/YourFritz/blob/f0b0942846ffcc9ff8a5e8c038350fbd2f63e215/bootmanager/bootmanager#L359 (and omit the variables used for (pseudo) file name and output redirection - it's unnecessary in your case) - but use one single call instead of
three different commands (sed is always available and the used editor command is POSIX-compatible, too).

If you'll use this on the router itself (only there you'll find the /proc/sys/urlader/environment file), be aware of the needs for an usable openssl binary, too. I'm not sure, whether it will get included automatically in each case ... and there aren't much alternatives from Freetz(-NG) packages available on the box.

I'll close this here ... feel free to re-open, if your problem wasn't solved or your question wasn't answered. And by the way ... the IPPF is (imho) a much better place for further discussions (and I'd bet, you've got an account there already) - at least for this question, which is not closely regarded to one of my own projects.

[PeterPawn]

Ah ... one more hint: The httpd applet from BusyBox (which is used by Freetz(-NG) as server) is able to encode a password too (using option -m - it's more a convenience utility function) - but it uses always a (random) salt value. Nevertheless the generated value could be used to validate a login - it has some additional data between the 2nd and 3rd dollar sign only and the results aren't reproducible over different calls.

This could eliminate the needs for an (additional) openssl binary ... use the whole string from output and take care of the embedded dollar signs - there shouldn't be any substitution within (especially not for the $1 at the beginning, which is the code for the used MD5 hash algorithm).

[fraternl]

PeterPawn to the rescue once again.
Many thanks.
I didn't compile openssl in, so I'm glad it worked with httpd -m

Here's a snippet from my provision script which is working thanks to you
Just did a factory reset of the box and waited for a boot cycle
Afterward I could login with the password that's on the back of the modem.

(The same for the terminal login and a special user for the AVM-interface I created automatically with your set.lua script)

CONFIG=/var/mod/etc/conf/mod.cfg
BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`
# check length of BACKPASS (should be 10 characters)
if echo -n "${BACKPASS}" | wc -c | grep -q '^10$' ; then
  # Check if the Freetz WebIF still has "freetz" as its password
  if grep -q "^export .*zO6d3zi9DefdWLMB" ${CONFIG} ; then
    BOXMD5="`/usr/sbin/httpd -m ${BACKPASS}`"
    sed -i "s/^export MOD_HTTPD_PASSWD=.*/export MOD_HTTPD_PASSWD=\'${BOXMD5}\'/g" ${CONFIG}
    echo "change MOD_HTTPD_PASSWD in ${CONFIG}" >>${LOG}
    REBOOT_REQUIRED=true
  fi
fi

By changing the SSH-login password I did create a new problem. I'm not getting warned anymore that I'm still using the "default" password. Most of the time I will login with a public/private key so I may forget it is still using the password on the back of the thing. It's not as bad as a password "freetz", but still....

[PeterPawn]

should be 10 characters

That's a wrong assumption - the length is varying. Afaik the webgui_pass value is built from a (german - again afaik, even for international versions) simple word (4 to 6 characters, but maybe the lower limit is 5 indeed - I'm owning a 7590 with 5 letters password) and 4 digits get appended.

I'm not getting warned anymore

Why don't you modify this "default password check", too? It's in https://github.com/Freetz-NG/freetz-ng/blob/master/make/pkgs/mod/files/root/usr/mww/cgi-bin/status.d/00-password.sh - but due to the automatic salt while using httpd -m, you can't use a simple string comparison.

If you use the cryptpw BusyBox applet instead:

vidar:~ # busybox cryptpw -m md5 -S "" freetz
$1$$zO6d3zi9DefdWLMB.OHaO.
vidar:~ #

you may omit the salt (it shouldn't matter here) and generate a "fixed" hash for your webgui_pass value again, which is easier to compare. Maybe you've to add this applet to the built BusyBox yourself, if it's not included automatically.

That's the reason I didn't mention this applet earlier (as I looked through the list of BusyBox applets to circumvent the needs for an OpenSSL binary) - the httpd applet will be present every time, 'cause it's the HTTP server used by Freetz(-NG) itself. And as long as you do not want to compare the encrypted values as text (strings), it doesn't matter, if the encrypted result isn't reproducible. But if you want to extend the "default password check", the encrypted value shouldn't use a salt - it's easier to handle.

---

Here's what I would use instead of your snippet from above:

md5pw() { /bin/busybox cryptpw -m md5 -S "" "$1"; }

CONFIG="/var/mod/etc/conf/mod.cfg"
BACKPASS=$(sed -n -e "s/^webgui_pass\t\(.*\)$/\1/p" /proc/sys/urlader/environment)
# check length of BACKPASS (should be between 9 and 11 characters long)
BPLEN=$(printf "%s" "$BACKPASS"  | wc -c)
if [ $BPLEN -ge 9 ] && [ $BPLEN -le 11 ]; then
  if [ -n "$(sed -n -e "/^export MOD_HTTPD_PASSWD='$(md5pw freetz)'/p" "$CONFIG")" ]; then
    sed -e "/^export MOD_HTTPD_PASSWD=.*/d" -i $CONFIG 
    printf "export MOD_HTTPD_PASSWD='%s'\n" "$(md5pw "$BACKPASS")" >> "$CONFIG"
    echo "change MOD_HTTPD_PASSWD in $CONFIG" >>$LOG
    REBOOT_REQUIRED=true
  fi
fi

It's still far from being perfect - but possible problem(s) with your code are:

• the length isn't always 10 (maybe my checks are invalid too and the length may vary more)
• the hashed value of the new password is Base64 encoded ... it may contain slash characters itself, e.g. for wolke1234 - this would lead to an invalid substitute command for sed
• it's easier to remove the MOD_HTTPD_PASSWD line first and append another one with the new value, instead of escaping characters within the new password hash - the order doesn't matter within this file

[fraternl]

Thanks for the several tips and showing a different style with bash.
I've adapted my code to reflect your changes and I will look into 00-password.sh

[fraternl]

Modifying 00-password.sh was successful and it now warns me a default password is set.

cat ./make/pkgs/mod/files/root/usr/mww/cgi-bin/status.d/00-password.sh

default_password_set() {
        [ "$MOD_HTTPD_PASSWD" == '$1$$zO6d3zi9DefdWLMB.OHaO.' ] || [ "$MOD_HTTPD_PASSWD" == "$(md5pw "$BACKPASS")"  ]
}

md5pw() { /bin/busybox cryptpw -m md5 -S "" "$1"; }

BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`

if default_password_set; then
        print_warning "$(lang \
          de:"Standard-Passwort gesetzt. <a href=\"/cgi-bin/passwd.cgi\">Bitte &auml;ndern!</a> " \
          en:"Default password set. <a href=\"/cgi-bin/passwd.cgi\">Please change!</a>" \
        )"
fi

If you see some room for improvement, you're welcome.

BTW... it doesn't work if I type that same password and let the Freetz webif change it. That's because it will put a different hash in the file. I think that one uses a hash. It's not important, really. I just want a warning that I'm being sloppy. There's no need to harden it in that way.