Password management on UBNT airOS (airMax, AirFiber, LTU, etc.)

Share your Config Push presets or discuss automation in general
Post Reply
User avatar
Tomas
Posts: 1029
Joined: Sat Jun 25, 2016 12:33 pm

Wed Oct 13, 2021 10:02 pm

Here are 2 approaches to automate password changes / password management on Ubiquiti airOS based gear (airMAx, AirFiber, EdgePower, LTU, ToughSwitch, etc.). Both approaches here have their advantages and disadvantages, feel free to choose the one that suits you better.

Approach 1:

Code: Select all

new_pwd="new_password_here"

echo -e "$new_pwd\n$new_pwd" | passwd
pwd_hash=$(cat /etc/passwd | grep ${USER} | cut -d ":" -f 2)

sed -ir "s!users.1.password=.+!users.1.password=${pwd_hash}!" /var/tmp/system.cfg
save
This will generate a unique password hash on each device, and save it to the config file. Please note the device has to be rebooted ("reboot" command) for this change to take effect.

The advantage of this approach is that each device will have it's own unique password hash, which can be considered more secure than the 2nd alternative. The disadvantage is that you need to keep the password in clear-text inside the Config Push preset, and each run of the Push will change device configuration (generate a new hash and save it).

This option is therefore not very well suited for running periodically / on schedule, as it would generate constant Config Change Notifications from your Unimus instance.

Here is the 2nd option:

Code: Select all

new_pwd_hash="$1$FvmuQvF1$ZynBOWqQ7ftHZpOuVua.W."

current_pwd_hash=$(cat /etc/passwd | grep ${USER} | cut -d ":" -f 2)
if [$current_pwd_hash == $new_pwd_hash]; then
  echo "Password already set, no update needed."
else
  sed -ir "s!users.1.password=.+!users.1.password=${new_pwd_hash}!" /var/tmp/system.cfg
  echo "Password updated!"
  save
fi
This option has multiple advantages. Since you provide a hash, no cleartext password is present in the Config Push preset. We can also compare the currently existing hash to our desired hash, and only perform a change on the device if needed. This script is therefore idempotent, and could be easily ran on schedule. A disadvantage is that the hash will be the same on all devices, negating the advantages that hash salts provide.

When running the 2nd option in Unimus, you would get 2 output groups - one with devices which already had correct password, and another with devices on which the password was updated. You could easily then trigger a "reboot" only on devices that need it with a few clicks.

To generate the hash, you can use the "mkpasswd -m md5" command. Please note that airOS does NOT support hashes other than md5, and using a different hash will result in an inaccessible device.
Post Reply