* [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password
@ 2017-06-30 6:30 jackie.huang
2017-06-30 6:30 ` [PATCH 1/2] dropbear: add default config file to disable root login jackie.huang
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: jackie.huang @ 2017-06-30 6:30 UTC (permalink / raw)
To: openembedded-core
From: Jackie Huang <jackie.huang@windriver.com>
--
The following changes since commit de7914954571ea8e717f56b6d6df13157b0973bc:
scripts/contrib/patchreview: add new script (2017-06-29 13:01:32 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib.git jhuang0/d_ssh-allow-empty_170630_0
http://git.pokylinux.org/cgit.cgi//log/?h=jhuang0/d_ssh-allow-empty_170630_0
Jackie Huang (2):
dropbear: add default config file to disable root login
rootfs-postcommands: split ssh_allow_empty_password
meta/classes/image.bbclass | 2 +-
meta/classes/rootfs-postcommands.bbclass | 25 +++++++++++++++++++---
meta/recipes-core/dropbear/dropbear.inc | 3 +++
.../dropbear/dropbear/dropbear.default | 2 ++
4 files changed, 28 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-core/dropbear/dropbear/dropbear.default
--
2.11.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] dropbear: add default config file to disable root login
2017-06-30 6:30 [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
@ 2017-06-30 6:30 ` jackie.huang
2017-06-30 6:30 ` [PATCH 2/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
2017-07-25 6:33 ` [PATCH 0/2] " Huang, Jie (Jackie)
2 siblings, 0 replies; 5+ messages in thread
From: jackie.huang @ 2017-06-30 6:30 UTC (permalink / raw)
To: openembedded-core
From: Jackie Huang <jackie.huang@windriver.com>
root login is disabled by default for openssh and we can
enable it through IMAGE_FEATURES 'debug-tweaks' or
'allow-empty-password', so change to the same default
behavior for dropbear.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
meta/recipes-core/dropbear/dropbear.inc | 3 +++
meta/recipes-core/dropbear/dropbear/dropbear.default | 2 ++
2 files changed, 5 insertions(+)
create mode 100644 meta/recipes-core/dropbear/dropbear/dropbear.default
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index b6b436c584..359a898116 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -22,6 +22,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://dropbearkey.service \
file://dropbear@.service \
file://dropbear.socket \
+ file://dropbear.default \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "
PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
@@ -61,6 +62,8 @@ do_install() {
${D}${sbindir} \
${D}${localstatedir}
+ install -m 0755 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear
+
install -m 0755 dropbearmulti ${D}${sbindir}/
ln -s ${sbindir}/dropbearmulti ${D}${bindir}/dbclient
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear.default b/meta/recipes-core/dropbear/dropbear/dropbear.default
new file mode 100644
index 0000000000..522453a86c
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/dropbear.default
@@ -0,0 +1,2 @@
+# Disallow root logins by default
+DROPBEAR_EXTRA_ARGS="-w"
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] rootfs-postcommands: split ssh_allow_empty_password
2017-06-30 6:30 [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
2017-06-30 6:30 ` [PATCH 1/2] dropbear: add default config file to disable root login jackie.huang
@ 2017-06-30 6:30 ` jackie.huang
2017-07-25 6:33 ` [PATCH 0/2] " Huang, Jie (Jackie)
2 siblings, 0 replies; 5+ messages in thread
From: jackie.huang @ 2017-06-30 6:30 UTC (permalink / raw)
To: openembedded-core
From: Jackie Huang <jackie.huang@windriver.com>
"allow root login" should not be bundled in ssh_allow_empty_password,
because some distro may want only one of "allow root login" and "allow
empty password", so split it out into ssh_allow_root_login and add new
imagefeature allow-root-login so they can be controlled separately,
debug-tweaks will still include both of them.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
meta/classes/image.bbclass | 2 +-
meta/classes/rootfs-postcommands.bbclass | 25 ++++++++++++++++++++++---
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 6e30b96745..180c19c10b 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -23,7 +23,7 @@ inherit ${TESTIMAGECLASS}
# IMAGE_FEATURES may contain any available package group
IMAGE_FEATURES ?= ""
IMAGE_FEATURES[type] = "list"
-IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs empty-root-password allow-empty-password post-install-logging"
+IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs empty-root-password allow-empty-password allow-root-login post-install-logging"
# Generate companion debugfs?
IMAGE_GEN_DEBUGFS ?= "0"
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index 78f7c55933..81af4e8519 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -2,9 +2,12 @@
# Zap the root password if debug-tweaks feature is not enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}'
-# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled
+# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}'
+# Allow dropbear/openssh to accept root logins if debug-tweaks or allow-root-login is enabled
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-root-login' ], "ssh_allow_root_login; ", "",d)}'
+
# Enable postinst logging if debug-tweaks is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}'
@@ -137,12 +140,11 @@ zap_empty_root_password () {
}
#
-# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string
+# allow dropbear/openssh to accept logins from accounts with an empty password string
#
ssh_allow_empty_password () {
for config in sshd_config sshd_config_readonly; do
if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config ]; then
- sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
sed -i 's/^[#[:space:]]*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
fi
done
@@ -162,6 +164,23 @@ ssh_allow_empty_password () {
fi
}
+#
+# allow dropbear/openssh to accept root logins
+#
+ssh_allow_root_login () {
+ for config in sshd_config sshd_config_readonly; do
+ if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config ]; then
+ sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
+ fi
+ done
+
+ if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
+ if grep -q DROPBEAR_EXTRA_ARGS ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear 2>/dev/null ; then
+ sed -i '/^DROPBEAR_EXTRA_ARGS=/ s/-w//' ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
+ fi
+ fi
+}
+
ssh_disable_dns_lookup () {
if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
sed -i -e 's:#UseDNS yes:UseDNS no:' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password
2017-06-30 6:30 [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
2017-06-30 6:30 ` [PATCH 1/2] dropbear: add default config file to disable root login jackie.huang
2017-06-30 6:30 ` [PATCH 2/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
@ 2017-07-25 6:33 ` Huang, Jie (Jackie)
2017-08-17 2:14 ` Huang, Jie (Jackie)
2 siblings, 1 reply; 5+ messages in thread
From: Huang, Jie (Jackie) @ 2017-07-25 6:33 UTC (permalink / raw)
To: Huang, Jie (Jackie), openembedded-core@lists.openembedded.org
Ping.
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> jackie.huang@windriver.com
> Sent: Friday, June 30, 2017 14:30
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 0/2] rootfs-postcommands: split
> ssh_allow_empty_password
>
> From: Jackie Huang <jackie.huang@windriver.com>
>
> --
> The following changes since commit
> de7914954571ea8e717f56b6d6df13157b0973bc:
>
> scripts/contrib/patchreview: add new script (2017-06-29 13:01:32 +0100)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib.git jhuang0/d_ssh-allow-empty_170630_0
> http://git.pokylinux.org/cgit.cgi//log/?h=jhuang0/d_ssh-allow-
> empty_170630_0
>
> Jackie Huang (2):
> dropbear: add default config file to disable root login
> rootfs-postcommands: split ssh_allow_empty_password
>
> meta/classes/image.bbclass | 2 +-
> meta/classes/rootfs-postcommands.bbclass | 25 +++++++++++++++++++-
> --
> meta/recipes-core/dropbear/dropbear.inc | 3 +++
> .../dropbear/dropbear/dropbear.default | 2 ++
> 4 files changed, 28 insertions(+), 4 deletions(-)
> create mode 100644 meta/recipes-core/dropbear/dropbear/dropbear.default
>
> --
> 2.11.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password
2017-07-25 6:33 ` [PATCH 0/2] " Huang, Jie (Jackie)
@ 2017-08-17 2:14 ` Huang, Jie (Jackie)
0 siblings, 0 replies; 5+ messages in thread
From: Huang, Jie (Jackie) @ 2017-08-17 2:14 UTC (permalink / raw)
To: openembedded-core@lists.openembedded.org
Ping again.
I don't see any comment or rejection on this, do I miss anything?
Thanks,
Jackie
> -----Original Message-----
> From: Huang, Jie (Jackie)
> Sent: Tuesday, July 25, 2017 14:34
> To: Huang, Jie (Jackie); openembedded-core@lists.openembedded.org
> Subject: RE: [OE-core] [PATCH 0/2] rootfs-postcommands: split
> ssh_allow_empty_password
>
> Ping.
>
> > -----Original Message-----
> > From: openembedded-core-bounces@lists.openembedded.org
> > [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> > jackie.huang@windriver.com
> > Sent: Friday, June 30, 2017 14:30
> > To: openembedded-core@lists.openembedded.org
> > Subject: [OE-core] [PATCH 0/2] rootfs-postcommands: split
> > ssh_allow_empty_password
> >
> > From: Jackie Huang <jackie.huang@windriver.com>
> >
> > --
> > The following changes since commit
> > de7914954571ea8e717f56b6d6df13157b0973bc:
> >
> > scripts/contrib/patchreview: add new script (2017-06-29 13:01:32 +0100)
> >
> > are available in the git repository at:
> >
> > git://git.pokylinux.org/poky-contrib.git jhuang0/d_ssh-allow-
> empty_170630_0
> > http://git.pokylinux.org/cgit.cgi//log/?h=jhuang0/d_ssh-allow-
> > empty_170630_0
> >
> > Jackie Huang (2):
> > dropbear: add default config file to disable root login
> > rootfs-postcommands: split ssh_allow_empty_password
> >
> > meta/classes/image.bbclass | 2 +-
> > meta/classes/rootfs-postcommands.bbclass | 25
> +++++++++++++++++++-
> > --
> > meta/recipes-core/dropbear/dropbear.inc | 3 +++
> > .../dropbear/dropbear/dropbear.default | 2 ++
> > 4 files changed, 28 insertions(+), 4 deletions(-)
> > create mode 100644 meta/recipes-core/dropbear/dropbear/dropbear.default
> >
> > --
> > 2.11.0
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-17 2:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-30 6:30 [PATCH 0/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
2017-06-30 6:30 ` [PATCH 1/2] dropbear: add default config file to disable root login jackie.huang
2017-06-30 6:30 ` [PATCH 2/2] rootfs-postcommands: split ssh_allow_empty_password jackie.huang
2017-07-25 6:33 ` [PATCH 0/2] " Huang, Jie (Jackie)
2017-08-17 2:14 ` Huang, Jie (Jackie)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox