Set root & humaxftp passwords

[paranoidandroid]

Hello,
I'd like to say thanks to the developers for this custom firmware, it makes the good PVR into a great one. It's the easiest custom firmware I have ever had the pleasure of using. Apple/ Sony/ Nintendo have so much to learn from Humax - we are not evil just let us tweak devices to perfection .

Is this the main CFW development/ support site, or am I missing something?

Is there any way to set the root password on a HDR-Fox T2 with custom firmware 2.14/ Humax 1.02.29.

I have dropbear ssh installed & would like to disable telnet & set the passwords for root & humaxftp. My SSH keys are setup & working. I can see passwd isn't installed, is there a package for it? Is there another way to change the passwords.

I'm unclear if I need to edit /etc/shadow or /etc/passwd, weirdly I can't see the humaxftp user in either file. Is there another config for the ftp user password?

 

[Black Hole]

Is this the main CFW development/ support site

Yes.

Is there any way to set the root password on a HDR-Fox T2 with custom firmware 2.14/ Humax 1.02.29.

At the moment, passwords are tied to the security code you allocate to the Humax ("0000" by default). If you look on the WebIF Settings page you will find username/password options for the WebIF, and also controls for Dropbear including disabling the standard Telnet.

Anything else you will have to talk to af123 for.

If you are new you will find my links below useful (although you seem to have got your head around the CF pretty well).

 

[af123]

Is there any way to set the root password on a HDR-Fox T2 with custom firmware 2.14/ Humax 1.02.29.

For dropbear you currently have to edit the /mod/etc/dropbear/passwd file and replace the hash. Adding an easier way to change this password is on my todo list but hasn't made it to the top yet.

As Black Hole has said, you can disable password logins to dropbear through options on the web interface settings screen and there's also an option to disable telnet there too.

Is there another config for the ftp user password?

The native Humax FTP server uses HumaxFTP as the username and the system PIN as the password so you just change the system PIN from the default (0000) to set a different password.

The betaftpd replacement FTP server package accepts any username and also uses the system PIN for the password. If the special username root is used, then you get access to the whole filesystem. Any other username just gives access to the media root.

 

[Ezra Pound]

Is this the main CFW development/ support site, or am I missing something??

The Hummy WiKi (link at the top of Forum pages) contains guides to most of the CF features and all the CF firmware, Guide Starting point HERE

 

[paranoidandroid]

Thank you all. I have been seeing your three names all over this site, thanks the taking the time to post the guides, tips & CFW.

af123, do I need to hash my password for dropbear when inserting into /mod/etc/dropbear/passwd and is it sha1/2 or md5 etc, or is plaintext enough.

I'll also do the webif & telnet steps too, I don't think it needs to be the most secure device on my network, but it would be great to not have default passwords left on it.

 

[Andrew Benham]

As you say you've got working ssh keys, why not just disable password authentication for dropbear ?
On another piece of hardware I have which also uses dropbear, I've poisoned the password file by putting '*' in the hash field.

 

[paranoidandroid]

As you say you've got working ssh keys, why not just disable password authentication for dropbear ?
On another piece of hardware I have which also uses dropbear, I've poisoned the password file by putting '*' in the hash field.

Good point. I was thinking that the dropbear password was tied to the system root user account. So if I edited 'dropbears root password', it would also mean that the humaxftp user could gain root via 'sudo su' & then enter that 'dropbear root' password.
It's becoming a little clearer that the root password for dropbear isn't tied into the root password for the system.

 

[af123]

You're right, the system root account isn't linked to the mongoose one. It's all a bit academic really because the way the Humax environment is built there isn't any privilege separation anyway. Everything, including the Humax application, runs as root. It's a pretty standard setup for a CE device and since the root filesystem is read-only in flash, there's little problem with that.

The HumaxFTP user isn't a real one either, just a special username recognised by the FTP servers.

af123, do I need to hash my password for dropbear when inserting into /mod/etc/dropbear/passwd and is it sha1/2 or md5 etc, or is plaintext enough.

It's actually /mod/etc/dropbear/shadow - wasn't in front of my box at the time.
It should be a standard crypt hash, the modified version of dropbear on the Humax doesn't support any more fancy hash.

 

[blusky]

To Generate crypt() password this generator can help - aspirine.o rg/htpasswd_en.html

 

[ZJL]

On a linux box you can use makepasswd; for instructions see this link:
blog dot laczik dot org/humax-hdr-fox-t2-dropbear-ssh-sftp-password-change/