Skip navigation

SSH - change password, port, disable/enable

Default SSH authentication used in Public versions or old versions (prior to 0.2.14-r8):
Login: root
Password: 930920
Port: 22

Attention!!! Beginning from version 0.2.14-r8 the changes were implemented in the security system.

SSH is locked - In Factory version (versions created by Manufacturer to be put on Manufacturer's or Operator's web server for auto-update and used for a manual update from Embedded portal).
SSH is open at standard TCP port (22) - In Public versions from Manufacturer (which are provided in Releases at soft.infomir.com).
For image versions created by Operators can be disabled/enabled SSH.

Port configuration

Default TCP port value used for SSH (22) can be changed to another permissible value in working STB separately for each STB or it can be changed in the entire software version within the image building process.

MAG2xx (STMicroelectronics chipsets based)

  • Open in the Rootfs next file (in edit mode): /etc/openssh/sshd_config

  • Make changes to the #Port line. For example to change the port value to 2222: #Port 2222

  • Save changes.
    Note. To enable new settings in working STB, reset STB after reconfiguring.
  sshd_config file contents example for MAG2xx. Changing port value for SSH connection. New value: 2222

# vi etc/openssh/sshd_config
# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/openssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/openssh/ssh_host_rsa_key
#HostKey /etc/openssh/ssh_host_dsa_key
#HostKey /etc/openssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/openssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes

# This is a modification for the default installation of the STLinux
# Distribution. You should never ship a real system in this state.
PermitEmptyPasswords yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options

MAG-3xx (Broadcom chipsets based)

  • Open in rootfs next file (in edit mode): /etc/rc.d/rcS.d/S60netsrv

  • Make changes to the line dropbear. For examle to change port value to 2222:
    dropbear -p 2222

  • Save changes.
    Note. To enable new settings in working STB, reset STB after reconfiguring.
  S60netsrv file contents - example for MAG3xx. New port value for SSH connection (2222) has been set.

# vi /etc/rc.d/rcS.d/S60netsrv
#!/bin/sh

. /etc/init.d/splash-utils.sh

${SPLASH} prg 40
${SPLASH} clear_log
${SPLASH} log "Starting network services..."

#portmap &
#telnetd

if [ -e /sbin/dropbear ]; then
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
mkdir -p /etc/dropbear
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
fi
dropbear -p 2222
fi

MAG-4xx (Hisilicon chipsets based)

  • Open in rootfs next file (in edit mode):/etc/init.d/S81dropbear

  • Make changes to the line TARGET_BIN=/sbin/dropbear - append to the end of record new port value as follows: -p <Port_number>. For examle to change port value to 2222: TARGET_BIN="/sbin/dropbear -p 2222"

  • Save changes.

Note. To enable new settings in working STB, reset STB after script modification.

  S81dropbear file contents - example for MAG4xx. New port value for SSH connection (2222) has been set

#!/bin/sh

TARGET_DESC="Dropbear (SSH daemon)"
TARGET_BIN="/sbin/dropbear -p 2222"

source /etc/utils/shell-utils.sh

echo "[IM][system init][+][${TARGET_DESC}] Starting..."

/sbin/ifup eth0

# wait for /dev/urandom before we start dropbear
while [ 1 ]; do
if [ -c /dev/urandom ]; then
#echo "[IM][system init][+][${TARGET_DESC}] urandom is ready"
break;
else
#echo "[IM][system init][i][${TARGET_DESC}] urandom NOT found. waiting..."
sleep 0.2
fi
done

if [ -e /sbin/dropbear ]; then
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
echo "[IM][system init][+][${TARGET_DESC}] HOST KEY not found. Creating host key"
mkdir -p /etc/dropbear
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
fi

$TARGET_BIN
#-E 2>> /ram/db.txt

#echo "$?" >> /ram/db.txt

if [ $? -eq 0 ]; then
echo "[IM][system init][i][${TARGET_DESC}] Started OK"
else
echo "[IM][system init][!][${TARGET_DESC}] FAILED to start!"
fi
fi

${SPLASH} prg 50
${SPLASH} clear_log
${SPLASH} log "Init SSH server..."

How to change SSH password for image-making

1. Login via SSH on STB
2. Run passwd and change password.

3. Copy contents of the next file:

  • For MAG250/254/270 - /etc/shadow

  • For MAG256, 322/324/349/351 - /etc/passwd

  • For MAG420/424 - /etc/shadow

4. Insert (substitute) copied contents into the body of the same named file that is a part of the RootFS that will be used for further building the image.

  Example. MAG322. Viewing contents of /etс/passwd after password changing. New password value: Qwerty1!

# passwd
Changing password for root
New password:
Retype password:
Password for root changed by root
# cat /etc/passwd
root:$1$TQP9rlUW$LzukH8Q0RoTcHIsXlpG3L1:0:0:root:/root:/bin/sh
bin:*:1:1:bin:/bin:/dev/null
daemon:*:2:2:daemon:/sbin:/dev/null
adm:*:3:4:adm:/var/tmp:/dev/null
ftp:*:14:50:FTP User:/var/tmp:/dev/null
nobody:*:99:99:Nobody:/:/dev/null
rpcuser:x:29:29:RPC Service User:/var/tmp:/dev/null
client:x:1000:100:Nexus client:/:/bin/sh
user1001:x:1001:100:User ID 1001:/:/bin/sh
user1002:x:1002:100:User ID 1002:/:/bin/sh
nfsnobody:x:65534:65534:Anonymous NFS User:/var/tmp:/dev/null
_ntp:x:1000:1000:OpenNTP daemon:/var/empty:/dev/null

How to disable/enable SSH connection

Disabling SSH connection

You can disable SSH access in working STB, separately for each STB, (to apply new settings reboot STB) or it can be changed in entire software version within image building process.

To disable SSH access:

  • MAG2xx - delete the script files etc/rcS.d/S30ssh and /usr/sbin/sshd
  • MAG3хх - comment the string dropbear in the script file /etc/rc.d/rcS.d/S60netsrv
  • MAG4хх - comment the string TARGET_BIN=/sbin/dropbea in the script file /etc/init.d/S81dropbear
  S60netsrv file contents - example for MAG3xx. SSH access has been disabled

#!/bin/sh
. /etc/rc.d/init.d/splash-utils.sh

${SPLASH} prg 40
${SPLASH} clear_log
${SPLASH} log "Starting network services..."

#portmap &
#telnetd

if [ -e /sbin/dropbear ]; then
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
mkdir -p /etc/dropbear
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key

fi
# dropbear
fi

  S81dropbear file contents - example for MAG4xx. SSH access has been disabled

#!/bin/sh

TARGET_DESC="Dropbear (SSH daemon)"
# TARGET_BIN=/sbin/dropbear

source /etc/utils/shell-utils.sh

echo "[IM][system init][+][${TARGET_DESC}] Starting..."

/sbin/ifup eth0

# wait for /dev/urandom before we start dropbear
while [ 1 ]; do
if [ -c /dev/urandom ]; then
#echo "[IM][system init][+][${TARGET_DESC}] urandom is ready"
break;
else
#echo "[IM][system init][i][${TARGET_DESC}] urandom NOT found. waiting..."
sleep 0.2
fi
done

if [ -e /sbin/dropbear ]; then
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
echo "[IM][system init][+][${TARGET_DESC}] HOST KEY not found. Creating host key"
mkdir -p /etc/dropbear
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
fi

$TARGET_BIN
#-E 2>> /ram/db.txt

#echo "$?" >> /ram/db.txt

if [ $? -eq 0 ]; then
echo "[IM][system init][i][${TARGET_DESC}] Started OK"
else
echo "[IM][system init][!][${TARGET_DESC}] FAILED to start!"
fi
fi

${SPLASH} prg 50
${SPLASH} clear_log
${SPLASH} log "Init SSH server..."

Enabling SSH connection

To resume SSH connection support on STB you should update STB to a version with enabled SSH access.

To enable SSH access in new image versions, restore in the Rootfs the original version of the above-specified script files. The original version of the script files is provided in Release.



Need Help

Dave is an expert on the MAG STB and the author of this article.

Was this article helpful?

Yes No

Sorry to hear that.
How can we improve this article?

Send
We use cookies in order to optimise our website, provide you with the best possible user experience and help us promote our products. Please read our Cookie Policy to find out how we use cookies and how you can control cookies.
By using this website or closing this message, you acknowledge our Privacy Policy and agree to our use of cookies as described in our Cookie Policy.