cmkelley
Very Senior Member
UPDATE: Leaving the below for posterity's sake, but don't do it. Some Entware stuff won't work with the "standard" entware setup, so far "man" and "openssh" because they appear to be hard-coded to expect different configurations (such as UID 0 being "root", which at least on my AC86U, the GUI won't allow you to do). But using Entware's busybox causes other router functionality problems (mine wouldn't connect to the internet after a reboot), so the below is pointless.
I suppose the moral of the story is, let the router do router tasks. Get fancy with something not so mission critical. Time to buy a Raspberry Pi 3 B+ ...
--------- DON'T DO THIS ---------
Digging through the Entware wiki, I found that Entware also provides an "alternate" installation script that changes the environment that Entware runs in slightly. After experimenting a bit with this, I think thisis might be worth looking at for people who want to get the most out of their Entware installation. See https://github.com/Entware/Entware/wiki/Alternative-install-vs-standard for information on the differences.
The first thing I recommend you do is go into the GUI and change the ssh port from 22 to something else. The firmware will still run its own dropbear, and that's useful if you manage to lock yourself out of the Entware dropbear, which we'll install as part of this. I suggest doing this before making the changes, so that you know you can get into your router if something goes wrong. Note that Entware suggests the opposite; that is, leave the firmware dropbear on port 22 and put the Entware dropbear on another port. Your choice, but I want to just type "ssh root@router" to get to my Entware dropbear, rather than remember to add the port.
(Although I didn't try it this way, I think that if you haven't installed Entware yet, you can copy /usr/sbin/entware-setup.sh to the /jffs folder, then edit it and change the appropriate script call (in the "case $PLATFORM in" section) from generic.sh or installer.sh to alternative.sh and then run ./entware-setup.sh from there.)EDIT: Probably don't do it this way, see below.
If you have already installed Entware, then it's just a matter of changing a couple things; if you read the two installation scripts, there's actually very little difference. The first thing to do is install Entware's busybox. EDIT: Maybe don't do this! It is a more recent version than the firmware has, and is compiled with more built-in functions. The wiki (and RMerlin!) says there is a potential of interference with the router firmware, but I've not run into any yet - be prepared to revert if you run into weirdness.
Next you need to unlink the passwd, group, shells, shadow, and gshadow files from /opt/etc
now copy the Entware files over (hopefully you didn't delete the ".1" files ...)
Now you have separate users and groups for Entware. User 0 is "root" instead of "admin" or whatever your firmware / GUI username is. This root has the password 12345, which you will be able to change once you log into your Entware busybox. Speaking of which, you'll need to install the Entware dropbear (or, if you're feeling adventurous, openssh-server) to login to the Entware "root" user. - note that alternative.sh does not install the Entware dropbear.
The standard installation of dropbear listens on every interface, which is not what I think we want to do, so I edited the S51dropbear script in /opt/etc/init.d. The below is only the top half of the file, I didn't change anything after the start function
Note that the -s option disables password logins, remove it if you're using a password to login to your router via ssh (I require an ssh keypair on my router). If you are using keypairs you have to copy and link a couple files;
Now you can start the Entware dropbear with
And you should be able to log in to the Entware dropbear with your favorite ssh client. Once logged in, check your path to make sure /opt/bin and /opt/sbin are at the front of your path so they pick up the Entware versions instead of the firmware versions.
So, what did I get out of this? Not much, to be honest. I was able to install man-pages from Entware, which won't install with the standard setup because it expects user 0 to be called "root", which was the reason I tried this out (had I realized just how little is in the Entware man-pages package, I might not have bothered). I haven't tried openssh-server with this setup yet, but I was unable to get it to work with the standard setup. I do suspect this alternative setup will allow openssh-server to work since the Entware users are independent of the firmware users with this setup. The Entware wiki implies there may be other packages that would not work or have issues with the standard setup.
On the other hand, I haven't lost anything. Everything still works, although annoyingly the Entware busybox "top" command has to be exited with ctrl-c instead of just q. Anything that's hard-coded to go to /bin or /sbin will pick up the firmware busybox. Right now the hashed password is in passwd, which even though dropbear shouldn't be exposed to the wan, and requires a keypair to log into the router, is still technically a security risk, so I'll have to get shadow set up.
Once more, in case you don't read the comments, RMerlin advises against installing Entware's busybox, because there are custom patches to it by him, ASUS, and Broadcom. Just because I haven't had any issues doesn't mean you won't!
I suppose the moral of the story is, let the router do router tasks. Get fancy with something not so mission critical. Time to buy a Raspberry Pi 3 B+ ...
--------- DON'T DO THIS ---------
Digging through the Entware wiki, I found that Entware also provides an "alternate" installation script that changes the environment that Entware runs in slightly. After experimenting a bit with this, I think this
The first thing I recommend you do is go into the GUI and change the ssh port from 22 to something else. The firmware will still run its own dropbear, and that's useful if you manage to lock yourself out of the Entware dropbear, which we'll install as part of this. I suggest doing this before making the changes, so that you know you can get into your router if something goes wrong. Note that Entware suggests the opposite; that is, leave the firmware dropbear on port 22 and put the Entware dropbear on another port. Your choice, but I want to just type "ssh root@router" to get to my Entware dropbear, rather than remember to add the port.
If you have already installed Entware, then it's just a matter of changing a couple things; if you read the two installation scripts, there's actually very little difference. The first thing to do is install Entware's busybox. EDIT: Maybe don't do this! It is a more recent version than the firmware has, and is compiled with more built-in functions. The wiki (and RMerlin!) says there is a potential of interference with the router firmware, but I've not run into any yet - be prepared to revert if you run into weirdness.
Code:
opkg install busybox
Code:
cd /opt/etc ### MAKE SURE YOU ARE IN THIS DIRECTORY!!! ###
rm passwd
rm group
rm shells
rm shadow
rm gshadow
Code:
cd /opt/etc ### MAKE SURE YOU ARE IN THIS DIRECTORY!!! ###
cp passwd.1 passwd
cp group.1 group
cp shells.1 shells
Code:
opkg install dropbear
Code:
#!/bin/sh
PATH=/opt/bin:/opt/sbin:/sbin:/bin:/usr/sbin:/usr/bin
DROPBEAR="/opt/sbin/dropbear"
HOST=$(hostname -i)
PORT=22
PIDFILE="/opt/var/run/dropbear.pid"
OPTIONS="-s -j -k"
dropbear_status ()
{
[ -f $PIDFILE ] && [ -d /proc/`cat $PIDFILE` ]
}
start()
{
$DROPBEAR -p $HOST:$PORT -P $PIDFILE $OPTIONS
}
Code:
cp -p /root/.ssh/authorized_keys /opt/etc/dropbear/ ### NOT in /opt/root/.ssh!
cp -p /etc/dropbear/* /opt/etc/dropbear/
ln -s /etc/profile /opt/root/.profile
Code:
/opt/etc/init.d/S51dropbear start
So, what did I get out of this? Not much, to be honest. I was able to install man-pages from Entware, which won't install with the standard setup because it expects user 0 to be called "root", which was the reason I tried this out (had I realized just how little is in the Entware man-pages package, I might not have bothered). I haven't tried openssh-server with this setup yet, but I was unable to get it to work with the standard setup. I do suspect this alternative setup will allow openssh-server to work since the Entware users are independent of the firmware users with this setup. The Entware wiki implies there may be other packages that would not work or have issues with the standard setup.
On the other hand, I haven't lost anything. Everything still works, although annoyingly the Entware busybox "top" command has to be exited with ctrl-c instead of just q. Anything that's hard-coded to go to /bin or /sbin will pick up the firmware busybox. Right now the hashed password is in passwd, which even though dropbear shouldn't be exposed to the wan, and requires a keypair to log into the router, is still technically a security risk, so I'll have to get shadow set up.
Once more, in case you don't read the comments, RMerlin advises against installing Entware's busybox, because there are custom patches to it by him, ASUS, and Broadcom. Just because I haven't had any issues doesn't mean you won't!
Last edited: