Passwords in Turris OS⚓︎

Passwords are an important part of security of operating systems. This article describes how Turris OS works with passwords and which security measures are used.

About passwords⚓︎

In general, Turris OS has two distinct classes of passwords:

• one password for Foris and reForis,
• user-related passwords for other purposes (e.g. LuCI and SSH); ie. system passwords.

These passwords are set separately but Foris and reForis can set the same password for Foris/reForis and for the root user (see below).

Unlike some other routers, Turris has no default nor hard-coded passwords. The Foris/reForis password is originally set in the first start guide. System passwords need not be set there but you won’t be able to log into LuCI nor access your router via SSH if no password is set for the root user.

How passwords are stored and secured⚓︎

Foris/reForis password⚓︎

The Foris/reForis password is stored as the auth.password configuration option in /etc/config/foris. It is stored as a salted hash using PBKDF2 as its algorithm (currently with 1000 iterations).

System passwords⚓︎

System passwords are stored using the same method as common Linux distributions do: in /etc/shadow together with their user names. These passwords are stored as salted hashes; the hashing algorithm is currently SHA-512 but it can be changed in the future.

How to change passwords⚓︎

Foris/reForis password⚓︎

Select Administration → Password in the menu. Write the current password and the new password. The new password should be strong.

System passwords⚓︎

You can use the same password as for Foris/reForis. See the dialog above; check Use the same password… to ensure this. If you want to set a different password you can fill the second dialog at the same page.

It can be also set via LuCI or via passwd in the command line. It is also possible to create additional users and set their password using standard command line commands like useradd.