Changing the default root system password

Opengear devices ship from the factory with a single account enabled:

• Username: root
• Password: default

This account grants complete control over the Opengear device.  To secure your Opengear device, it is essential that you change the root password during initial setup as per the instructions below.

Custom factory password

As a security precaution against the Opengear device being accidentally or maliciously factory erased, we recommend that you change the factory default password from "default".  This optional step saves your root password hash in non-volatile memory, you can view it by running: setfset -r

If the custom factory password is lost, the Opengear device will require firmware recovery to become accessible.

Disabling root login

As a further security precaution, you may disable root login after completing setup.  This does not remove the root account entirely, but disables password login from web UI, CLI and console.  SSH public key login is still permitted.

Also note that serial port cascading setup and Lighthouse Central Management setup requires that root login be enabled, to automatically propagate authorized SSH keys (advanced users may wish to install keys manually).

When root is disabled, admin group users can elevate themselves to root at the CLI by running: sudo -s

Web UI instructions

During initial setup:

• Login to the Opengear web UI as root or an admin group user
• Click Serial & Network -> Users & Groups -> root -> Edit
• Set a strong Password and Confirm (note that complexity requirements are not enforced)
  
• To optionally make this the custom factory password, check Save Password across firmware erases 
• Click Apply

After setup is complete, to disable the root account:

• If you have not already done so, configure at least one admin group user
• Login to the Opengear web UI as an admin-group user
• If you have installed SSH authorized keys for root:
• Click Serial & Network -> Users & Groups -> root -> Edit
  
• Remove any user installed SSH Authorized Keys (i.e. those not installed by cascading or Lighthouse)
  
• Click Apply
• Click Serial & Network -> Users & Groups -> root -> Disable

CLI instructions

During initial setup:

• Login to the Opengear CLI as root or an admin group user
• Where oursecret is the new root password (when applied this password is hashed and scrubbed from config), run:

config -s config.users.user1.plaintext_password=oursecret

• To optionally make this the custom factory password, run:

config -s config.users.user1.password_nvflash=on

• To apply, run:

config -r users

For more details on user management from the CLI, refer to this article.

After setup is complete, to disable the root account:

• Login to the Opengear CLI as root or an admin group user
• Run:

config -s config.users.user1.disabled=on
config -r users