How do I write a new hashed password?

[fraternl]

The variable MOD_HTTPD_PASSWD is a hashed password for the Freetz interface which resides in /var/mod/etc/conf/mod.cfg
This password is hashed and I have no idea how.

This is that variable when the password has never been changed.

grep PASS /var/mod/etc/conf/mod.cfg
export MOD_HTTPD_PASSWD='$1$$zO6d3zi9DefdWLMB.OHaO.'

I would like to create a new password into that file instead of "freetz"
I don't want to keep that password for a production box.
I will change it manually later on.
But I also don't want it left at "freetz" in case I forgot to change it.

In case the password is never configured before I want to write the password to it that's on the back of the fritzbox.
I can find that password here:

#
BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`
#

But before I can replace the password I need it hashed.

Can anyone help me with that?

[fraternl]

It turns out a valid hash can be made with httpd -m <plaintext>

CONFIG=/var/mod/etc/conf/mod.cfg
BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`
if echo -n "${BACKPASS}" | wc -c | grep -q '^10$' ; then
  /etc/init.d/rc.webcfg stop
  BOXMD5="`/usr/sbin/httpd -m ${BACKPASS}`"
  sed -i "s/^export MOD_HTTPD_PASSWD=.*/export MOD_HTTPD_PASSWD=\'${BOXMD5}\'/g" ${CONFIG}
  modsave all
  /etc/init.d/rc.webcfg start
fi

[fda77]

modconf

[fraternl]

I can now successfully provision my box (also after a factory reset) with my preferred setting and having the "standard password" of the box itself as my login for both the Freetz-WebIf and the maiden SSH root password.
Normally these 2 are "freetz" after a factory reset.

md5pw() { /bin/busybox cryptpw -m md5 -S "" "$1"; }
BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`

md5pw freetz
$1$$zO6d3zi9DefdWLMB.OHaO.
md5pw ${BACKPASS}
$1$$qRPK7m23GJusamGpoGLby/

This $1$$zO6d3zi9DefdWLMB.OHaO. is hardcoded at several places in the Freetz sources.

I liked the warning in the Freetz interface when the password hasn't changed.
Because it doesn't give me a warning anymore after the script changed the password I needed to change 00-password.sh

cat ./make/pkgs/mod/files/root/usr/mww/cgi-bin/status.d/00-password.sh

default_password_set() {
        [ "$MOD_HTTPD_PASSWD" == '$1$$zO6d3zi9DefdWLMB.OHaO.' ] || [ "$MOD_HTTPD_PASSWD" == "$(md5pw "$BACKPASS")"  ]
}

md5pw() { /bin/busybox cryptpw -m md5 -S "" "$1"; }

BACKPASS=`grep '^webgui_pass'  /proc/sys/urlader/environment | awk '{print $2}' | egrep -o '[a-z]+[0-9]+'`

if default_password_set; then
        print_warning "$(lang \
          de:"Standard-Passwort gesetzt. <a href=\"/cgi-bin/passwd.cgi\">Bitte &auml;ndern!</a> " \
          en:"Default password set. <a href=\"/cgi-bin/passwd.cgi\">Please change!</a>" \
        )"
fi

I saw somewher in "make menuconfig" that it's possible to change the default password upon compiling.

It could be a reason to change this warning script (00-password.sh) to follow that.
Maybe that warning should be optional for those who want to obfuscate that they are using the same password for each box.

I prefer /bin/busybox cryptpw -m md5 -S "" "$1"; over /usr/sbin/httpd -m because it is also used by Freetz itself as initial password and because I can easily compare the hashes.

I'm aware that this is all not that secure, but it's more secure than having "freetz" as password.
I'm also aware that it's tempting to keep using this program.

Making it possible to login with a special user and a password that's written on the back can be useful if you want to talk a client through a procedure to get Internet again after factory reset.

[fda77]

You dont need to (should not!) force md5, it was the best when the hash was created - and you have to change it. CVE-2022-21800 CVE-2022-38023 CVE-2004-2761 etc

[fraternl]

It's for writing a temporary password, just like the password "freetz" which is known by everyone using this project as its default password.
imho a bit more secure.