Re: [Dorset] OpenWRT

[Patrick Wigmore]

On Sun, 10 Feb 2019 13:23:38 +, Tim wrote:
> First, I found the passphrase for my wifi stored on the router in
> plain text format
It's certainly not the first router operating system to do that. I
found a feature request asking for Ubiquity access points to stop storing
WiFi passwords in plain text:
https://community.ubnt.com/t5/UniFi-Feature-Requests/Hashing-the-remaining-passwords-do-not-store-in-plain-text/idi-p/1590658#comments

Someone please correct me if I'm wrong, but my understanding is that the
mutual authentication feature of WPA2-PSK means that the access point must
store either the plain text passphrase or the plain text secret that gets
computed from it, either of which can be used to authenticate to the
network if stolen. It seems to me that the best defence is therefore to
avoid using the passphrase for anything except that one WiFi network, or
else to use WPA2 Enterprise instead (which does not rely on a pre-shared
key).

> Secondly, when you login into the router via ssh you do so as root
It is definitely possible to change that. You can add a less privileged
user, enable key-based authentication for SSH and install sudo.

I wonder if the default was a compromise made in order to limit the
amount of software included in the base installation, due to the limited
amount of flash memory found in router hardware.

> to be fair when you login into the router via the web interface you
> also do so as root.
I never really liked that, especially since HTTPS is not enabled by
default. I don't so much mind having to authenticate as root to perform
administrative actions, but it does seem poor form to run the entire web
server as root.

Patrick

--
  Next meeting: BEC, Bournemouth, Tuesday, 2019-03-05 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk/
  New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Re: [Dorset] OpenWRT

[Andrew]

I suspect the router would need to decrypt the wireless key if it were 
encrypted, so the configuration would have to have all the details 
required to decrypt it. I'm not sure I'd worry too much about people 
getting access to my WLAN key if they already have root access to the 
router.


I doubt any non-OpenWRT routers are better. BT routers for example have 
the wireless key stored in plain text on a sticker on the router. Then 
there's those routers where the default SSID and key are based on the 
MAC address... which it broadcasts!


--

Andrew.


--
 Next meeting: BEC, Bournemouth, Tuesday, 2019-03-05 20:00
 Check to whom you are replying
 Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk/
 New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Re: [Dorset] OpenWRT

[Tim]

On 29/01/2019 16:55, Tim wrote:

On 27/01/2019 19:13, Tim wrote:

On 27/01/2019 12:57, Patrick Wigmore wrote:

On Mon, 14 Jan 2019 17:59:30 +, Tim wrote:

If anybody has any stories regarding OpenWRT I would interested to
hear them

On Sat, 26 Jan 2019 13:13:02 +, Ralph Corderoy wrote:

Every time I'm in the market for a new broadband modem, like now,
I consider buying one supported by OpenWRT, but never manage it.
The last I checked, the only available ADSL or VDSL modem that 
OpenWRT appeared to actually have a driver for was the one inside 
the BT Home Hub 5 type A (a.k.a. Plusnet Hub One or BT Business Hub 
5). It is not a badly specified device given how cheaply available 
they are. 802.11ac, 128MB RAM, 128MB flash, 500MHz CPU. I bought one 
and put OpenWRT on it. The main downsides I see are: * Though it has 
gigabit network interfaces, it is not capable of actually routing 
traffic at gigabit speeds. (I don't care about that: it's fast 
enough for me.) * It is too easy to press the prominently-located 
restart button while handling the device, causing an unwanted 
reboot. Presumably the stock firmware requires regular rebooting so 
they decided to make a feature out of it. * It makes a quiet ticking 
noise like a laptop hard drive when it is transceiving WiFi traffic. 
(This seems to be the power supply circuitry responding to the 
varying load, because connecting a USB- powered device that uses PWM 
to fade some LEDs up and down causes the Home Hub to provide an 
audible rendition of the PWM signal, providing many minutes of 
entertainment.) * Unlike the radio in my previous, lower-spec 
Buffalo device (also running OpenWRT), the WiFi radios don't seem to 
support operating simultaneously as both a client and an access 
point. Though, since it's dual band and has two radios, the unit as 
a whole can do this, provided you don't mind dedicating a whole 
frequency band (2.4GHz or 5GHz) to each of these functions. * It 
doesn't have many indicator LEDs (but all three are RGB, so you can 
squeeze quite a bit of information out through them). * No option 
for external WiFi antennae (it works well without them, but some 
people might have a specific reason why they need or want them). Its 
been very stable for me. The only unplanned downtime has been due to 
power failures. I've only tried the xDSL modem itself for an hour or 
two, to test it. Therefore, I can't vouch for the xDSL modem's 
long-term stability, but I was satisfied that it would probably do 
the job if I wanted it to. The modem took a loong time to make a 
connection on the first attempt: about half an hour. I put that down 
to the DSLAM on the other end of the line being surprised to see a 
different modem, but not before I went on a wild goose chase 
tweaking the configuration to see if anything would make it work. 
After the initial connection, it appeared capable of reconnecting 
much more quickly. On Sat, 26 Jan 2019 13:13:02 +, Ralph 
Corderoy wrote:

I realise their specialised devices, but I'm surprised that projects
like OpenWRT don't settle on a collection of chips that they
support very well, e.g. good quality Linux kernel drivers, and then
see if they can crowdfund a device built around them.

If you are acquiring new hardware, it seems to me that the only
product category where there really seems to be a lack of OpenWRT
compatibility is modems. If you just want a router or a WiFi access
point, there are plenty of options. I speculate that it would be
difficult to compete with the existing choice in those categories, but
the xDSL modem-router category would be more fertile ground for a
crowd-funded product.

Patrick Wigmore

It is a strange position that had I spent more time researching the 
router I purchased (Linksys WRT1900ACS) I may never have purchased 
it. To start with I can not block ports and this afternoon I found 
that snmp is not available and I can find no where to enable snmp 
within its current config (it does not reply to snmpwalk command). 
Googling seem to return plenty of replies regarding requests for new 
features (like SNMP). I guess this is the downside that a router is 
now seen as a consumer product and the average bod on the street is 
just interested in plug and play and not worried about blocking ports 
or checking your bandwidth usage. Had the funds been available I 
would have gone for a Draytec (I have used them at work in the past 
and quite happy with them) but I thought I was doing alright buying a 
Linksys, I had used Linksys routers many years ago just after getting 
cable Internet. I thought they were still owned by Cisco but found 
out after the purchase that they were sold on and bought by Belkin 
who's network products I have used in the past and found them to be 
rubbish.


I blame nobody else but myself, I should of done my homework before 
the purchase. I will have to start planning the firmware upgrade to 
OpenWRT and pray that it gives me what I want as the