[PATCH V2 0/3] Use openssh to provide sftp-server service

[PATCH V2 0/3] Use openssh to provide sftp-server service

[Lianhao Lu]

This patch set changes dropbear to openssh in the referenced core sato-sdk
image to provide the sftp-server service which is required by some other 
tools, e.g. the Eclipse Remote System Explorer.

The following changes since commit 0eddc176e73e74d4b1a7d3163d65f619fcd4baf0:
  Saul Wold (1):
        gnomebase: add GNOME_COMPRESS_TYPE variable

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib llu/ssh
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=llu/ssh

Lianhao Lu (3):
  task-core-ssh-openssh: Added openssh-sftp-server.
  core-image-sato-sdk: Replace dropbear by openssh.
  classes/image: Allow openssh empty passwords login.

 meta/classes/core-image.bbclass                  |    2 ++
 meta/classes/image.bbclass                       |   10 +++++++++-
 meta/recipes-core/tasks/task-core-ssh-openssh.bb |    2 +-
 meta/recipes-sato/images/core-image-sato-sdk.bb  |    4 +++-
 4 files changed, 15 insertions(+), 3 deletions(-)

[PATCH V2 1/3] task-core-ssh-openssh: Added openssh-sftp-server.

[Lianhao Lu]

Added openssh-sftp-server as the default.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 meta/recipes-core/tasks/task-core-ssh-openssh.bb |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-core/tasks/task-core-ssh-openssh.bb b/meta/recipes-core/tasks/task-core-ssh-openssh.bb
index 794399a..2e22d38 100644
--- a/meta/recipes-core/tasks/task-core-ssh-openssh.bb
+++ b/meta/recipes-core/tasks/task-core-ssh-openssh.bb
@@ -12,6 +12,6 @@ PACKAGES = "\
 
 ALLOW_EMPTY = "1"
 
-RDEPENDS_task-core-ssh-openssh = "openssh"
+RDEPENDS_task-core-ssh-openssh = "openssh openssh-sftp-server"
 RDEPENDS_task-core-ssh-openssh-dbg = "openssh-dbg"
 RDEPENDS_task-core-ssh-openssh-dev = "openssh-dev"
-- 
1.7.0.4

[PATCH V2 2/3] core-image-sato-sdk: Replace dropbear by openssh.

[Lianhao Lu]

Use openssh in core-image-sato-sdk to provide sftp-server service.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 meta/recipes-sato/images/core-image-sato-sdk.bb |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-sato/images/core-image-sato-sdk.bb b/meta/recipes-sato/images/core-image-sato-sdk.bb
index eed1698..7f05332 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk.bb
@@ -5,7 +5,9 @@ DESCRIPTION = "Image with Sato support that includes everything within \
 core-image-sato plus meta-toolchain, development headers and libraries to \
 form a standalone SDK."
 
-IMAGE_FEATURES += "apps-console-core ${SATO_IMAGE_FEATURES} dev-pkgs tools-sdk qt4-pkgs"
+SATO_SDK_IMAGE_FEATURES = "${@oe_filter_out('ssh-server-dropbear', '${SATO_IMAGE_FEATURES}', d)} ssh-server-openssh"
+
+IMAGE_FEATURES += "apps-console-core ${SATO_SDK_IMAGE_FEATURES} dev-pkgs tools-sdk qt4-pkgs"
 EXTRA_IMAGE_FEATURES += "tools-debug tools-profile tools-testapps debug-tweaks"
 
 LICENSE = "MIT"
-- 
1.7.0.4

[PATCH V2 3/3] classes/image: Allow openssh empty passwords login.

[Lianhao Lu]

Allow empty passwords login so that the default root user can login in
through openssh.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 meta/classes/core-image.bbclass |    2 ++
 meta/classes/image.bbclass      |   10 +++++++++-
 2 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
index e2ad0fc..25f5c5a 100644
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -69,4 +69,6 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
 
 # Zap the root password if debug-tweaks feature is not enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}'
+# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled
+ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}'
 
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index fb932b9..3f53271 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -318,6 +318,14 @@ zap_root_password () {
 	mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
 } 
 
+# allow openssh accept login with empty password string
+openssh_allow_empty_password () {
+	if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
+		sed 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config >${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config.new
+		mv -f ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config.new ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
+	fi
+}
+
 # Turn any symbolic /sbin/init link into a file
 remove_init_link () {
 	if [ -h ${IMAGE_ROOTFS}/sbin/init ]; then
@@ -372,7 +380,7 @@ rootfs_trim_schemas () {
 	done
 }
 
-EXPORT_FUNCTIONS zap_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup
+EXPORT_FUNCTIONS zap_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup openssh_allow_empty_password
 
 do_fetch[noexec] = "1"
 do_unpack[noexec] = "1"
-- 
1.7.0.4

Re: [PATCH V2 3/3] classes/image: Allow openssh empty passwords login.

[Richard Purdie]

On Tue, 2012-06-12 at 18:10 +0800, Lianhao Lu wrote:
> Allow empty passwords login so that the default root user can login in
> through openssh.
> 
> Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
> ---
>  meta/classes/core-image.bbclass |    2 ++
>  meta/classes/image.bbclass      |   10 +++++++++-
>  2 files changed, 11 insertions(+), 1 deletions(-)
> 
> diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
> index e2ad0fc..25f5c5a 100644
> --- a/meta/classes/core-image.bbclass
> +++ b/meta/classes/core-image.bbclass
> @@ -69,4 +69,6 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
>  
>  # Zap the root password if debug-tweaks feature is not enabled
>  ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}'
> +# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled
> +ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}'
>  
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index fb932b9..3f53271 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -318,6 +318,14 @@ zap_root_password () {
>  	mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
>  } 
>  
> +# allow openssh accept login with empty password string
> +openssh_allow_empty_password () {
> +	if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
> +		sed 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config >${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config.new
> +		mv -f ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config.new ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
> +	fi
> +}

Can't we just use the -i option here?

>  # Turn any symbolic /sbin/init link into a file
>  remove_init_link () {
>  	if [ -h ${IMAGE_ROOTFS}/sbin/init ]; then
> @@ -372,7 +380,7 @@ rootfs_trim_schemas () {
>  	done
>  }
>  
> -EXPORT_FUNCTIONS zap_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup
> +EXPORT_FUNCTIONS zap_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup openssh_allow_empty_password

This use of EXPORT_FUNCTIONS looks wrong, you don't need to add this
here and in fact that whole line can probably be removed...

Cheers,

Richard

Re: [PATCH V2 0/3] Use openssh to provide sftp-server service

[Richard Purdie]

On Tue, 2012-06-12 at 18:10 +0800, Lianhao Lu wrote:
> This patch set changes dropbear to openssh in the referenced core sato-sdk
> image to provide the sftp-server service which is required by some other 
> tools, e.g. the Eclipse Remote System Explorer.
> 
> The following changes since commit 0eddc176e73e74d4b1a7d3163d65f619fcd4baf0:
>   Saul Wold (1):
>         gnomebase: add GNOME_COMPRESS_TYPE variable
> 
> are available in the git repository at:
> 
>   git://git.yoctoproject.org/poky-contrib llu/ssh
>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=llu/ssh
> 
> Lianhao Lu (3):
>   task-core-ssh-openssh: Added openssh-sftp-server.
>   core-image-sato-sdk: Replace dropbear by openssh.
>   classes/image: Allow openssh empty passwords login.

There are some pieces in here I like but I'm not sure overall this is
the right way to make this work. For example, lets say I want to use the
eclipse tools with a plain sato image. Its hard for me to do this with
the patches as they stand. We need to take a step back and think how a
user is going to expect this to work.

I think what we need to do at the basic level is have something like an
IMAGE_FEATURE that we can turn on that pulls in the various IDE
integration pieces. In this case, it would explicitly add openssh/sftp
and we should use the package manager functionality to replace dropbear
with openssh when an image requests both.

This IMAGE_FEATURE would then be on by default for the -sdk image but
could easily be enabled for others.

Cheers,

Richard