When I first got serial port access to my Circle, I grabbed the /etc/shadow file and started running “John The Ripper” to attempt to crack the root password (it’s been running for 47 days). The hope was that I could crack the password, making it easier for others to get into their Circle devices (without requiring a serial port).
Well, I just installed the latest firmware from Circle, and found that they have changed to using key-based ssh login instead of password. In the process, they’ve removed the root password (so you can’t login as root anymore, unless you have their private ssh key).
The new /mnt/shares/usr/bin/startcircle script has the following line:
[ -f $DIR/scripts/authorized_keys ] && { diff $DIR/scripts/authorized_keys /etc/dropbear/authorized_keys > /dev/null || { cp -f $DIR/scripts/authorized_keys /etc/dropbear/authorized_keys; sed -i -e 's/root:[^:]*:/root:*:/g' /etc/shadow; } }
The above line copies an ssh ‘authorized_keys’ file from /mnt/shares/usr/bin/scripts to /etc/dropbear. It also removes the password for the user ‘root’ in ‘/etc/shadow’.
The new ‘/etc/dropbear/authorized_keys’ has one entry for Circle’s key:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuIaD23ac41XZp5AcSSOunHXHYN38dF2YX+rmb0QT4zxKFnccl6BpzoxGb604rPc4eQ477glWyM4D/jTIyaKqmA7P1iVMym8v5nSXH6haSc/KrzV5EizmalXd4+eoK8ddSgpoci0P9oul3yiWtvccwN5WQ5H/DZhyYvdM73kKnYh3JUllx8JnGi1Qa0nhNGfrhIqaApTc/AyIAFR9I8wtp5KR98xRH5u/hEm1IMB5lo7yS6yJUcupIctnW/C2qUOD7WtWzZvJtgAmmhh+A1XLU42PruPtTfQ2EAHUmNJ+xVssUl3N2cIhvCt1sm5o8DymttOS4xot6Ni06UZ/LK/iKw== tzhang@gateway
It’s not possible to brute-force an ssh RSA key, and it’s no longer possible to login as ‘root’ with a password, so there’s no longer any point to continue the password cracking process.
No worries, though – we can still get in without a serial port or the root password. I’ll post details on modifying a firmware update image to add a new user (with root privileges) soon.