From: Patrick Ohly <patrick.ohly@intel.com>
To: "Robert P. J. Day" <rpjday@crashcourse.ca>
Cc: OE Core mailing list <openembedded-core@lists.openembedded.org>
Subject: Re: how to *securely* do a remote install of an OE image?
Date: Tue, 28 Feb 2017 13:27:55 +0100 [thread overview]
Message-ID: <1488284875.7785.41.camel@intel.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1702280518430.30803@localhost.localdomain>
On Tue, 2017-02-28 at 05:28 -0500, Robert P. J. Day wrote:
> my immediate reaction was to use SSH keys, where the
> newly-installed system would require SSH logins, and would have to
> match the corresponding private key.
That would also be my preferred approach.
> as an alternative, perhaps don't worry about such a situation, but
> when the authorized user logs in for what is *supposed* to be the
> first time, it will be flagged that someone else has already logged in
> earlier, and a warning will be printed, "Previous login to root
> detected, you have been compromised, please re-install!"
Or, along the same lines, set an empty root password and force the user
to set a password on the first login. There are ways to do that with
PAM, but I don't have anything at hand.
> i'm sure there are plenty of ways of doing this, anyone have any
> pointers?
For ssh keys, there's rootfsdebugfiles.bbclass. In local.conf:
INHERIT += "rootfsdebugfiles"
ROOTFS_DEBUG_FILES += "/home/pohly/.ssh/id_rsa.pub ${IMAGE_ROOTFS}/home/root/.ssh/authorized_keys ;"
This copies my id_rsa.pub into authorized_keys and thus let's me log
into images that I create via ssh.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
next prev parent reply other threads:[~2017-02-28 12:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 10:28 how to *securely* do a remote install of an OE image? Robert P. J. Day
2017-02-28 12:27 ` Patrick Ohly [this message]
2017-02-28 12:32 ` Gary Thomas
2017-02-28 12:42 ` Patrick Ohly
2017-02-28 15:20 ` Robert P. J. Day
2017-02-28 16:52 ` Bryan Evenson
2017-02-28 16:33 ` Enrico Scholz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488284875.7785.41.camel@intel.com \
--to=patrick.ohly@intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=rpjday@crashcourse.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox