[PATCH 0/3] Use openssh to provide sftp-server service

[PATCH 0/3] Use openssh to provide sftp-server service

[Lianhao Lu]

This patch set changes dropbear to openssh in the referenced core sato-sdk
image to provide the sftp-server service which is required by some other 
tools, e.g. the Eclipse Remote System Explorer.

The following changes since commit 75a973328d50ef3c007edb7a471ea77fb97911ea:
  Bruce Ashfield (1):
        kern-tools: anchor KMACHINE test

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib llu/ssh
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=llu/ssh

Lianhao Lu (3):
  openssh: Allow empty passwords login.
  task-core-ssh-openssh: Added openssh-sftp-server.
  core-image-sato-sdk: Replace dropbear by openssh.

 .../openssh/openssh-6.0p1/sshd_config              |    2 +-
 meta/recipes-connectivity/openssh/openssh_6.0p1.bb |    2 +-
 meta/recipes-core/tasks/task-core-ssh-openssh.bb   |    2 +-
 meta/recipes-sato/images/core-image-sato-sdk.bb    |    4 +++-
 4 files changed, 6 insertions(+), 4 deletions(-)

[PATCH 1/3] openssh: Allow empty passwords login.

[Lianhao Lu]

Allow empty passwords login so that the default root user can login in
through openssh.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 .../openssh/openssh-6.0p1/sshd_config              |    2 +-
 meta/recipes-connectivity/openssh/openssh_6.0p1.bb |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config
index 4f9b626..175e8f3 100644
--- a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config
@@ -59,7 +59,7 @@ Protocol 2
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords yes
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
index 04fd6a9..ad62511 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -7,7 +7,7 @@ SECTION = "console/network"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
 
-PR = "r1"
+PR = "r2"
 
 DEPENDS = "zlib openssl"
 DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
-- 
1.7.0.4

[PATCH 2/3] task-core-ssh-openssh: Added openssh-sftp-server.

[Lianhao Lu]

Added openssh-sftp-server as the default.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 meta/recipes-core/tasks/task-core-ssh-openssh.bb |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-core/tasks/task-core-ssh-openssh.bb b/meta/recipes-core/tasks/task-core-ssh-openssh.bb
index 794399a..2e22d38 100644
--- a/meta/recipes-core/tasks/task-core-ssh-openssh.bb
+++ b/meta/recipes-core/tasks/task-core-ssh-openssh.bb
@@ -12,6 +12,6 @@ PACKAGES = "\
 
 ALLOW_EMPTY = "1"
 
-RDEPENDS_task-core-ssh-openssh = "openssh"
+RDEPENDS_task-core-ssh-openssh = "openssh openssh-sftp-server"
 RDEPENDS_task-core-ssh-openssh-dbg = "openssh-dbg"
 RDEPENDS_task-core-ssh-openssh-dev = "openssh-dev"
-- 
1.7.0.4

[PATCH 3/3] core-image-sato-sdk: Replace dropbear by openssh.

[Lianhao Lu]

Use openssh in core-image-sato-sdk to provide sftp-server service.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 meta/recipes-sato/images/core-image-sato-sdk.bb |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-sato/images/core-image-sato-sdk.bb b/meta/recipes-sato/images/core-image-sato-sdk.bb
index eed1698..7f05332 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk.bb
@@ -5,7 +5,9 @@ DESCRIPTION = "Image with Sato support that includes everything within \
 core-image-sato plus meta-toolchain, development headers and libraries to \
 form a standalone SDK."
 
-IMAGE_FEATURES += "apps-console-core ${SATO_IMAGE_FEATURES} dev-pkgs tools-sdk qt4-pkgs"
+SATO_SDK_IMAGE_FEATURES = "${@oe_filter_out('ssh-server-dropbear', '${SATO_IMAGE_FEATURES}', d)} ssh-server-openssh"
+
+IMAGE_FEATURES += "apps-console-core ${SATO_SDK_IMAGE_FEATURES} dev-pkgs tools-sdk qt4-pkgs"
 EXTRA_IMAGE_FEATURES += "tools-debug tools-profile tools-testapps debug-tweaks"
 
 LICENSE = "MIT"
-- 
1.7.0.4

Re: [PATCH 1/3] openssh: Allow empty passwords login.

[Anders Darander]

* Lianhao Lu <lianhao.lu@intel.com> [120611 11:03]:

> Allow empty passwords login so that the default root user can login in
> through openssh.

NAK, this isn't a sane default for a OpenSSH-recipe...


What's your use-case? Is it for automatic testing/development? If so,
can't you either set the password, or change the config using some other
means, e.g. a post rootfs installation script? (And make sure that this
is only run for the image in question, _not_ for all images).


/Anders

-- 
Anders Darander
ChargeStorm AB / eStorm AB

Re: [PATCH 1/3] openssh: Allow empty passwords login.

[Paul Eggleton]

On Monday 11 June 2012 11:45:49 Anders Darander wrote:
> * Lianhao Lu <lianhao.lu@intel.com> [120611 11:03]:
> > Allow empty passwords login so that the default root user can login in
> > through openssh.
> 
> NAK, this isn't a sane default for a OpenSSH-recipe...

I agree, however more below...

> What's your use-case? Is it for automatic testing/development? If so,
> can't you either set the password, or change the config using some other
> means, e.g. a post rootfs installation script? (And make sure that this
> is only run for the image in question, _not_ for all images).

I don't think we want this to be image-specific. FWIW, we do already have a 
mechanism to handle this for the dropbear recipe - debug-tweaks in 
IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES 
should not be influencing non-image recipes. This has bothered me for a while 
and I think we ought to change to some other mechanism (perhaps make it a 
separate variable) and then make the OpenSSH recipe use that.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: [PATCH 1/3] openssh: Allow empty passwords login.

[Phil Blundell]

On Mon, 2012-06-11 at 11:24 +0100, Paul Eggleton wrote:
> I don't think we want this to be image-specific. FWIW, we do already have a 
> mechanism to handle this for the dropbear recipe - debug-tweaks in 
> IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES 
> should not be influencing non-image recipes. This has bothered me for a while 
> and I think we ought to change to some other mechanism (perhaps make it a 
> separate variable) and then make the OpenSSH recipe use that.

In the particular case of OpenSSH, it's just a configuration file
setting, rather than a compile-time #ifdef, so doing it with
IMAGE_FEATURES and a rootfs postprocess step sounds like a perfectly
wholesome approach.  

I agree that the current mechanism used by dropbear (applying patches
based on IMAGE_FEATURES) is full of suck and should be changed, perhaps
to something more akin to what openssh does.

p.

Re: [PATCH 1/3] openssh: Allow empty passwords login.

[Anders Darander]

* Paul Eggleton <paul.eggleton@linux.intel.com> [120611 12:24]:

> On Monday 11 June 2012 11:45:49 Anders Darander wrote:
> > * Lianhao Lu <lianhao.lu@intel.com> [120611 11:03]:
> > > Allow empty passwords login so that the default root user can login in
> > > through openssh.
> > 
> > NAK, this isn't a sane default for a OpenSSH-recipe...

> I agree, however more below...

Good.

> > What's your use-case? Is it for automatic testing/development? If so,
> > can't you either set the password, or change the config using some other
> > means, e.g. a post rootfs installation script? (And make sure that this
> > is only run for the image in question, _not_ for all images).

> I don't think we want this to be image-specific. FWIW, we do already have a 
> mechanism to handle this for the dropbear recipe - debug-tweaks in 
> IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES 
> should not be influencing non-image recipes. This has bothered me for a while 
> and I think we ought to change to some other mechanism (perhaps make it a 
> separate variable) and then make the OpenSSH recipe use that.

That's right, the image shouldn't affect compile-time options. However,
in this particular case, as it is a configuration file, it should be
fine.

The variable idea is also fine with me, as long as we keep sensible
defaults, i.e. no empty password logins etc.

Cheers,
Anders

-- 
Anders Darander
ChargeStorm AB / eStorm AB

Re: [PATCH 1/3] openssh: Allow empty passwords login.

[Paul Eggleton]

On Monday 11 June 2012 11:27:48 Phil Blundell wrote:
> On Mon, 2012-06-11 at 11:24 +0100, Paul Eggleton wrote:
> > I don't think we want this to be image-specific. FWIW, we do already have
> > a
> > mechanism to handle this for the dropbear recipe - debug-tweaks in
> > IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES
> > should not be influencing non-image recipes. This has bothered me for a
> > while and I think we ought to change to some other mechanism (perhaps
> > make it a separate variable) and then make the OpenSSH recipe use that.
> 
> In the particular case of OpenSSH, it's just a configuration file
> setting, rather than a compile-time #ifdef, so doing it with
> IMAGE_FEATURES and a rootfs postprocess step sounds like a perfectly
> wholesome approach.
> 
> I agree that the current mechanism used by dropbear (applying patches
> based on IMAGE_FEATURES) is full of suck and should be changed, perhaps
> to something more akin to what openssh does.

Sounds good. I've created Yocto bug #2578 to look at fixing this in the manner 
you described.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre