* [PATCH v2 0/2] dropbear: allow configuring blank password option at runtime @ 2013-01-16 15:38 Paul Eggleton 2013-01-16 15:38 ` [PATCH v2 1/2] " Paul Eggleton 2013-01-16 15:38 ` [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration Paul Eggleton 0 siblings, 2 replies; 8+ messages in thread From: Paul Eggleton @ 2013-01-16 15:38 UTC (permalink / raw) To: openembedded-core The following changes since commit 4b63e73422ea25aba1bde0beddb02bc04948e13c: update-rc.d: check also that symlinks are valid (2013-01-16 12:07:55 +0000) are available in the git repository at: git://git.openembedded.org/openembedded-core-contrib paule/ssh-nopw http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=paule/ssh-nopw Paul Eggleton (2): dropbear: allow configuring blank password option at runtime classes/image: improve debug-tweaks ssh server configuration meta/classes/core-image.bbclass | 3 - meta/classes/image.bbclass | 10 +- meta/recipes-core/dropbear/dropbear.inc | 6 +- .../dropbear/dropbear/allow-nopw.patch | 19 ---- .../dropbear/dropbear/nopw-option.patch | 106 ++++++++++++++++++++ 5 files changed, 116 insertions(+), 28 deletions(-) delete mode 100644 meta/recipes-core/dropbear/dropbear/allow-nopw.patch create mode 100644 meta/recipes-core/dropbear/dropbear/nopw-option.patch -- 1.7.10.4 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2 1/2] dropbear: allow configuring blank password option at runtime 2013-01-16 15:38 [PATCH v2 0/2] dropbear: allow configuring blank password option at runtime Paul Eggleton @ 2013-01-16 15:38 ` Paul Eggleton 2013-01-16 15:38 ` [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration Paul Eggleton 1 sibling, 0 replies; 8+ messages in thread From: Paul Eggleton @ 2013-01-16 15:38 UTC (permalink / raw) To: openembedded-core Instead of using IMAGE_FEATURES to control something within a recipe, allow this to be set at runtime, avoiding the need to rebuild dropbear when we want to change this option. First half of the fix for [YOCTO #2578]. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> --- meta/recipes-core/dropbear/dropbear.inc | 6 +- .../dropbear/dropbear/allow-nopw.patch | 19 ---- .../dropbear/dropbear/nopw-option.patch | 106 ++++++++++++++++++++ 3 files changed, 108 insertions(+), 23 deletions(-) delete mode 100644 meta/recipes-core/dropbear/dropbear/allow-nopw.patch create mode 100644 meta/recipes-core/dropbear/dropbear/nopw-option.patch diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index aa313df..3e430f2 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation" HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" SECTION = "console/network" -INC_PR = "r0" +INC_PR = "r1" # some files are from other projects and have others license terms: # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY @@ -18,7 +18,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.gz \ file://dropbear-0.53.1-static_build_fix.patch \ file://configure.patch \ file://fix-2kb-keys.patch \ - ${@base_contains("DISTRO_TYPE", "debug", "file://allow-nopw.patch", "",d)} \ + file://nopw-option.patch \ file://init \ ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " @@ -40,8 +40,6 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' EXTRA_OECONF += "\ ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}" - do_install() { install -d ${D}${sysconfdir} \ ${D}${sysconfdir}/init.d \ diff --git a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch b/meta/recipes-core/dropbear/dropbear/allow-nopw.patch deleted file mode 100644 index a175ee1..0000000 --- a/meta/recipes-core/dropbear/dropbear/allow-nopw.patch +++ /dev/null @@ -1,19 +0,0 @@ -Enable blank password login function for new release dropbear. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Mei Lei <lei.mei@intel.com> - -diff --git a/options.h b/options.h -index 73689ad..041ddaa 100644 ---- a/options.h -+++ b/options.h -@@ -180,7 +180,7 @@ much traffic. */ - * Public key logins are allowed for blank-password accounts regardless of this - * setting. PAM is not affected by this setting, it uses the normal pam.d - * settings ('nullok' option) */ --/* #define ALLOW_BLANK_PASSWORD */ -+#define ALLOW_BLANK_PASSWORD - - #define ENABLE_CLI_PASSWORD_AUTH - #define ENABLE_CLI_PUBKEY_AUTH diff --git a/meta/recipes-core/dropbear/dropbear/nopw-option.patch b/meta/recipes-core/dropbear/dropbear/nopw-option.patch new file mode 100644 index 0000000..e7fcbb3 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/nopw-option.patch @@ -0,0 +1,106 @@ +Allow configuring "allow blank password option" at runtime + +Changes this from a compile-time switch to a command-line option. + +Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> + +Upstream-Status: Pending + +diff --git a/options.h b/options.h +index 00f6179..b8d0ccb 100644 +--- a/options.h ++++ b/options.h +@@ -176,12 +176,6 @@ much traffic. */ + #define ENABLE_SVR_PUBKEY_OPTIONS + #endif + +-/* Define this to allow logging in to accounts that have no password specified. +- * Public key logins are allowed for blank-password accounts regardless of this +- * setting. PAM is not affected by this setting, it uses the normal pam.d +- * settings ('nullok' option) */ +-/* #define ALLOW_BLANK_PASSWORD */ +- + #define ENABLE_CLI_PASSWORD_AUTH + #define ENABLE_CLI_PUBKEY_AUTH + #define ENABLE_CLI_INTERACT_AUTH +diff --git a/runopts.h b/runopts.h +index 83b5861..126585b 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -85,6 +85,7 @@ typedef struct svr_runopts { + + int noauthpass; + int norootpass; ++ int allowblankpass; + + #ifdef ENABLE_SVR_REMOTETCPFWD + int noremotetcp; +diff --git a/svr-authpasswd.c b/svr-authpasswd.c +index 54b4889..d9b7928 100644 +--- a/svr-authpasswd.c ++++ b/svr-authpasswd.c +@@ -29,6 +29,7 @@ + #include "buffer.h" + #include "dbutil.h" + #include "auth.h" ++#include "runopts.h" + + #ifdef ENABLE_SVR_PASSWORD_AUTH + +@@ -78,16 +79,17 @@ void svr_auth_password() { + + /* check for empty password */ + if (passwdcrypt[0] == '\0') { +-#ifdef ALLOW_BLANK_PASSWORD +- if (passwordlen == 0) { +- success_blank = 1; ++ if (svr_opts.allowblankpass) { ++ if (passwordlen == 0) { ++ success_blank = 1; ++ } ++ } ++ else { ++ dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", ++ ses.authstate.pw_name); ++ send_msg_userauth_failure(0, 1); ++ return; + } +-#else +- dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", +- ses.authstate.pw_name); +- send_msg_userauth_failure(0, 1); +- return; +-#endif + } + + if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) { +diff --git a/svr-runopts.c b/svr-runopts.c +index c6e3508..b39ffb2 100644 +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -63,6 +63,7 @@ static void printhelp(const char * progname) { + #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) + "-s Disable password logins\n" + "-g Disable password logins for root\n" ++ "-B Allow blank password logins\n" + #endif + #ifdef ENABLE_SVR_LOCALTCPFWD + "-j Disable local port forwarding\n" +@@ -115,6 +116,7 @@ void svr_getopts(int argc, char ** argv) { + svr_opts.norootlogin = 0; + svr_opts.noauthpass = 0; + svr_opts.norootpass = 0; ++ svr_opts.allowblankpass = 0; + svr_opts.inetdmode = 0; + svr_opts.portcount = 0; + svr_opts.hostkey = NULL; +@@ -234,6 +236,9 @@ void svr_getopts(int argc, char ** argv) { + case 'g': + svr_opts.norootpass = 1; + break; ++ case 'B': ++ svr_opts.allowblankpass = 1; ++ break; + #endif + case 'h': + printhelp(argv[0]); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration 2013-01-16 15:38 [PATCH v2 0/2] dropbear: allow configuring blank password option at runtime Paul Eggleton 2013-01-16 15:38 ` [PATCH v2 1/2] " Paul Eggleton @ 2013-01-16 15:38 ` Paul Eggleton 2013-01-16 15:48 ` Chris Larson 2013-01-16 16:40 ` Martin Jansa 1 sibling, 2 replies; 8+ messages in thread From: Paul Eggleton @ 2013-01-16 15:38 UTC (permalink / raw) To: openembedded-core Create a single postprocessing function that enables no-password logins for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES, changing its behaviour slightly: * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so that it still takes effect if these are installed by adding dropbear/openssh to IMAGE_INSTALL. * Enable it to be run from image.bbclass rather than core-image.bbclass so that it works for images that are using the former. Second half of the fix for [YOCTO #2578]. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> --- meta/classes/core-image.bbclass | 3 --- meta/classes/image.bbclass | 10 ++++++++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass index 2e67018..e0f6dbb 100644 --- a/meta/classes/core-image.bbclass +++ b/meta/classes/core-image.bbclass @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " # Zap the root password if debug-tweaks feature is not enabled ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}' -# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled -ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}' - diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index e494689..131958d 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES} IMAGE_POSTPROCESS_COMMAND ?= "" MACHINE_POSTPROCESS_COMMAND ?= "" ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; " +# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "ssh_allow_empty_password; ", "",d)}' # some default locales IMAGE_LINGUAS ?= "de-de fr-fr en-gb" @@ -396,12 +398,16 @@ zap_root_password () { mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd } -# allow openssh accept login with empty password string -openssh_allow_empty_password () { +# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string +ssh_allow_empty_password () { if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config sed -i 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config fi + + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then + echo 'DROPBEAR_EXTRA_ARGS="-B"' > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear + fi } # Turn any symbolic /sbin/init link into a file -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration 2013-01-16 15:38 ` [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration Paul Eggleton @ 2013-01-16 15:48 ` Chris Larson 2013-01-16 15:51 ` Paul Eggleton 2013-01-16 16:40 ` Martin Jansa 1 sibling, 1 reply; 8+ messages in thread From: Chris Larson @ 2013-01-16 15:48 UTC (permalink / raw) To: Paul Eggleton; +Cc: Patches and discussions about the oe-core layer [-- Attachment #1: Type: text/plain, Size: 452 bytes --] On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton < paul.eggleton@linux.intel.com> wrote: > + > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > + fi > } > Slightly concerned with this, in the potential case where a layer provides its own /etc/default/dropbear, this will blow it away entirely. -- Christopher Larson [-- Attachment #2: Type: text/html, Size: 811 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration 2013-01-16 15:48 ` Chris Larson @ 2013-01-16 15:51 ` Paul Eggleton 2013-01-16 16:39 ` Paul Eggleton 0 siblings, 1 reply; 8+ messages in thread From: Paul Eggleton @ 2013-01-16 15:51 UTC (permalink / raw) To: Chris Larson; +Cc: Patches and discussions about the oe-core layer On Wednesday 16 January 2013 08:48:05 Chris Larson wrote: > On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton < > > paul.eggleton@linux.intel.com> wrote: > > + > > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > > + fi > > > > } > > Slightly concerned with this, in the potential case where a layer provides > its own /etc/default/dropbear, this will blow it away entirely. I already considered this, but interacting nicely with that situation given that the provided /etc/default/dropbear would likely be setting its own value of DROPBEAR_EXTRA_ARGS isn't going to be straightforward from a shell script... Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration 2013-01-16 15:51 ` Paul Eggleton @ 2013-01-16 16:39 ` Paul Eggleton 0 siblings, 0 replies; 8+ messages in thread From: Paul Eggleton @ 2013-01-16 16:39 UTC (permalink / raw) To: openembedded-core; +Cc: Chris Larson On Wednesday 16 January 2013 15:51:59 Paul Eggleton wrote: > On Wednesday 16 January 2013 08:48:05 Chris Larson wrote: > > On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton < > > > > paul.eggleton@linux.intel.com> wrote: > > > + > > > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > > > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > > > + fi > > > > > > } > > > > Slightly concerned with this, in the potential case where a layer provides > > its own /etc/default/dropbear, this will blow it away entirely. > > I already considered this, but interacting nicely with that situation given > that the provided /etc/default/dropbear would likely be setting its own > value of DROPBEAR_EXTRA_ARGS isn't going to be straightforward from a shell > script... Scratch that, it's not too difficult. v3 on the way. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration 2013-01-16 15:38 ` [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration Paul Eggleton 2013-01-16 15:48 ` Chris Larson @ 2013-01-16 16:40 ` Martin Jansa 2013-01-16 16:56 ` Paul Eggleton 1 sibling, 1 reply; 8+ messages in thread From: Martin Jansa @ 2013-01-16 16:40 UTC (permalink / raw) To: Paul Eggleton; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 3377 bytes --] On Wed, Jan 16, 2013 at 03:38:13PM +0000, Paul Eggleton wrote: > Create a single postprocessing function that enables no-password logins > for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES, > changing its behaviour slightly: > * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so > that it still takes effect if these are installed by adding > dropbear/openssh to IMAGE_INSTALL. > * Enable it to be run from image.bbclass rather than core-image.bbclass > so that it works for images that are using the former. > > Second half of the fix for [YOCTO #2578]. > > Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> > --- > meta/classes/core-image.bbclass | 3 --- > meta/classes/image.bbclass | 10 ++++++++-- > 2 files changed, 8 insertions(+), 5 deletions(-) > > diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass > index 2e67018..e0f6dbb 100644 > --- a/meta/classes/core-image.bbclass > +++ b/meta/classes/core-image.bbclass > @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " > > # Zap the root password if debug-tweaks feature is not enabled > ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}' > -# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}' > - > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > index e494689..131958d 100644 > --- a/meta/classes/image.bbclass > +++ b/meta/classes/image.bbclass > @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES} > IMAGE_POSTPROCESS_COMMAND ?= "" > MACHINE_POSTPROCESS_COMMAND ?= "" > ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; " > +# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled > +ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "ssh_allow_empty_password; ", "",d)}' > > # some default locales > IMAGE_LINGUAS ?= "de-de fr-fr en-gb" > @@ -396,12 +398,16 @@ zap_root_password () { > mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd > } > > -# allow openssh accept login with empty password string > -openssh_allow_empty_password () { > +# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string > +ssh_allow_empty_password () { > if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then > sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config > sed -i 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config > fi > + > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > + fi Can we use >> here? In case some distro layer provides own default/dropbear already? Or grep + >> if you fear of duplication of that line, probably should be using sed to add -B if DROPBEAR_EXTRA_ARGS line is already there without -B. Cheers, -- Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 205 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration 2013-01-16 16:40 ` Martin Jansa @ 2013-01-16 16:56 ` Paul Eggleton 0 siblings, 0 replies; 8+ messages in thread From: Paul Eggleton @ 2013-01-16 16:56 UTC (permalink / raw) To: Martin Jansa; +Cc: openembedded-core On Wednesday 16 January 2013 17:40:38 Martin Jansa wrote: > On Wed, Jan 16, 2013 at 03:38:13PM +0000, Paul Eggleton wrote: > > Create a single postprocessing function that enables no-password logins > > for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES, > > changing its behaviour slightly: > > * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so > > > > that it still takes effect if these are installed by adding > > dropbear/openssh to IMAGE_INSTALL. > > > > * Enable it to be run from image.bbclass rather than core-image.bbclass > > > > so that it works for images that are using the former. > > > > Second half of the fix for [YOCTO #2578]. > > > > Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> > > --- > > > > meta/classes/core-image.bbclass | 3 --- > > meta/classes/image.bbclass | 10 ++++++++-- > > 2 files changed, 8 insertions(+), 5 deletions(-) > > > > diff --git a/meta/classes/core-image.bbclass > > b/meta/classes/core-image.bbclass index 2e67018..e0f6dbb 100644 > > --- a/meta/classes/core-image.bbclass > > +++ b/meta/classes/core-image.bbclass > > @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; > > "> > > # Zap the root password if debug-tweaks feature is not enabled > > ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", > > "debug-tweaks", "", "zap_root_password ; ",d)}'> > > -# Allow openssh accept empty password login if both debug-tweaks and > > ssh-server-openssh are enabled -ROOTFS_POSTPROCESS_COMMAND += > > '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", > > "openssh_allow_empty_password; ", "",d)}' - > > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > > index e494689..131958d 100644 > > --- a/meta/classes/image.bbclass > > +++ b/meta/classes/image.bbclass > > @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES} > > > > IMAGE_POSTPROCESS_COMMAND ?= "" > > MACHINE_POSTPROCESS_COMMAND ?= "" > > ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; " > > > > +# Allow dropbear/openssh to accept logins from accounts with an empty > > password string if debug-tweaks is enabled +ROOTFS_POSTPROCESS_COMMAND += > > '${@base_contains("IMAGE_FEATURES", "debug-tweaks", > > "ssh_allow_empty_password; ", "",d)}'> > > # some default locales > > IMAGE_LINGUAS ?= "de-de fr-fr en-gb" > > > > @@ -396,12 +398,16 @@ zap_root_password () { > > > > mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd > > > > } > > > > -# allow openssh accept login with empty password string > > -openssh_allow_empty_password () { > > +# allow dropbear/openssh to accept root logins and logins from accounts > > with an empty password string +ssh_allow_empty_password () { > > > > if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then > > > > sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' > > ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config sed -i > > 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' > > ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config> > > fi > > > > + > > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear + fi > > Can we use >> here? In case some distro layer provides own > default/dropbear already? > > Or grep + >> if you fear of duplication of that line, probably > should be using sed to add -B if DROPBEAR_EXTRA_ARGS line is already > there without -B. Slightly ahead of you :) see discussion with Chris. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-01-16 17:12 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-01-16 15:38 [PATCH v2 0/2] dropbear: allow configuring blank password option at runtime Paul Eggleton 2013-01-16 15:38 ` [PATCH v2 1/2] " Paul Eggleton 2013-01-16 15:38 ` [PATCH v2 2/2] classes/image: improve debug-tweaks ssh server configuration Paul Eggleton 2013-01-16 15:48 ` Chris Larson 2013-01-16 15:51 ` Paul Eggleton 2013-01-16 16:39 ` Paul Eggleton 2013-01-16 16:40 ` Martin Jansa 2013-01-16 16:56 ` Paul Eggleton
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox