Re: how to *securely* do a remote install of an OE image?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Ohly <patrick.ohly@intel.com>
To: "Robert P. J. Day" <rpjday@crashcourse.ca>
Cc: OE Core mailing list <openembedded-core@lists.openembedded.org>
Subject: Re: how to *securely* do a remote install of an OE image?
Date: Tue, 28 Feb 2017 13:27:55 +0100	[thread overview]
Message-ID: <1488284875.7785.41.camel@intel.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1702280518430.30803@localhost.localdomain>

On Tue, 2017-02-28 at 05:28 -0500, Robert P. J. Day wrote:
>   my immediate reaction was to use SSH keys, where the
> newly-installed system would require SSH logins, and would have to
> match the corresponding private key.

That would also be my preferred approach.

>   as an alternative, perhaps don't worry about such a situation, but
> when the authorized user logs in for what is *supposed* to be the
> first time, it will be flagged that someone else has already logged in
> earlier, and a warning will be printed, "Previous login to root
> detected, you have been compromised, please re-install!"

Or, along the same lines, set an empty root password and force the user
to set a password on the first login. There are ways to do that with
PAM, but I don't have anything at hand.

>   i'm sure there are plenty of ways of doing this, anyone have any
> pointers?

For ssh keys, there's rootfsdebugfiles.bbclass. In local.conf:

INHERIT += "rootfsdebugfiles"
ROOTFS_DEBUG_FILES += "/home/pohly/.ssh/id_rsa.pub ${IMAGE_ROOTFS}/home/root/.ssh/authorized_keys ;"

This copies my id_rsa.pub into authorized_keys and thus let's me log
into images that I create via ssh.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

next prev parent reply	other threads:[~2017-02-28 12:27 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-28 10:28 how to *securely* do a remote install of an OE image? Robert P. J. Day
2017-02-28 12:27 ` Patrick Ohly [this message]
2017-02-28 12:32   ` Gary Thomas
2017-02-28 12:42     ` Patrick Ohly
2017-02-28 15:20   ` Robert P. J. Day
2017-02-28 16:52     ` Bryan Evenson
2017-02-28 16:33 ` Enrico Scholz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1488284875.7785.41.camel@intel.com \
    --to=patrick.ohly@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=rpjday@crashcourse.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.