Patchwork [1/3] openssh: Allow empty passwords login.

login
register
mail settings
Submitter Lianhao Lu
Date June 11, 2012, 9:02 a.m.
Message ID <ebe46107b8bcc9637bf93b125fa5f9b0a0a045bd.1339405061.git.lianhao.lu@intel.com>
Download mbox | patch
Permalink /patch/29643/
State New
Headers show

Comments

Lianhao Lu - June 11, 2012, 9:02 a.m.
Allow empty passwords login so that the default root user can login in
through openssh.

Signed-off-by: Lianhao Lu <lianhao.lu@intel.com>
---
 .../openssh/openssh-6.0p1/sshd_config              |    2 +-
 meta/recipes-connectivity/openssh/openssh_6.0p1.bb |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Anders Darander - June 11, 2012, 9:45 a.m.
* Lianhao Lu <lianhao.lu@intel.com> [120611 11:03]:

> Allow empty passwords login so that the default root user can login in
> through openssh.

NAK, this isn't a sane default for a OpenSSH-recipe...


What's your use-case? Is it for automatic testing/development? If so,
can't you either set the password, or change the config using some other
means, e.g. a post rootfs installation script? (And make sure that this
is only run for the image in question, _not_ for all images).


/Anders
Paul Eggleton - June 11, 2012, 10:24 a.m.
On Monday 11 June 2012 11:45:49 Anders Darander wrote:
> * Lianhao Lu <lianhao.lu@intel.com> [120611 11:03]:
> > Allow empty passwords login so that the default root user can login in
> > through openssh.
> 
> NAK, this isn't a sane default for a OpenSSH-recipe...

I agree, however more below...

> What's your use-case? Is it for automatic testing/development? If so,
> can't you either set the password, or change the config using some other
> means, e.g. a post rootfs installation script? (And make sure that this
> is only run for the image in question, _not_ for all images).

I don't think we want this to be image-specific. FWIW, we do already have a 
mechanism to handle this for the dropbear recipe - debug-tweaks in 
IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES 
should not be influencing non-image recipes. This has bothered me for a while 
and I think we ought to change to some other mechanism (perhaps make it a 
separate variable) and then make the OpenSSH recipe use that.

Cheers,
Paul
Phil Blundell - June 11, 2012, 10:27 a.m.
On Mon, 2012-06-11 at 11:24 +0100, Paul Eggleton wrote:
> I don't think we want this to be image-specific. FWIW, we do already have a 
> mechanism to handle this for the dropbear recipe - debug-tweaks in 
> IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES 
> should not be influencing non-image recipes. This has bothered me for a while 
> and I think we ought to change to some other mechanism (perhaps make it a 
> separate variable) and then make the OpenSSH recipe use that.

In the particular case of OpenSSH, it's just a configuration file
setting, rather than a compile-time #ifdef, so doing it with
IMAGE_FEATURES and a rootfs postprocess step sounds like a perfectly
wholesome approach.  

I agree that the current mechanism used by dropbear (applying patches
based on IMAGE_FEATURES) is full of suck and should be changed, perhaps
to something more akin to what openssh does.

p.
Anders Darander - June 11, 2012, 10:36 a.m.
* Paul Eggleton <paul.eggleton@linux.intel.com> [120611 12:24]:

> On Monday 11 June 2012 11:45:49 Anders Darander wrote:
> > * Lianhao Lu <lianhao.lu@intel.com> [120611 11:03]:
> > > Allow empty passwords login so that the default root user can login in
> > > through openssh.
> > 
> > NAK, this isn't a sane default for a OpenSSH-recipe...

> I agree, however more below...

Good.

> > What's your use-case? Is it for automatic testing/development? If so,
> > can't you either set the password, or change the config using some other
> > means, e.g. a post rootfs installation script? (And make sure that this
> > is only run for the image in question, _not_ for all images).

> I don't think we want this to be image-specific. FWIW, we do already have a 
> mechanism to handle this for the dropbear recipe - debug-tweaks in 
> IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES 
> should not be influencing non-image recipes. This has bothered me for a while 
> and I think we ought to change to some other mechanism (perhaps make it a 
> separate variable) and then make the OpenSSH recipe use that.

That's right, the image shouldn't affect compile-time options. However,
in this particular case, as it is a configuration file, it should be
fine.

The variable idea is also fine with me, as long as we keep sensible
defaults, i.e. no empty password logins etc.

Cheers,
Anders
Paul Eggleton - June 11, 2012, 11:13 a.m.
On Monday 11 June 2012 11:27:48 Phil Blundell wrote:
> On Mon, 2012-06-11 at 11:24 +0100, Paul Eggleton wrote:
> > I don't think we want this to be image-specific. FWIW, we do already have
> > a
> > mechanism to handle this for the dropbear recipe - debug-tweaks in
> > IMAGE_FEATURES. I don't particularly like it however since IMAGE_FEATURES
> > should not be influencing non-image recipes. This has bothered me for a
> > while and I think we ought to change to some other mechanism (perhaps
> > make it a separate variable) and then make the OpenSSH recipe use that.
> 
> In the particular case of OpenSSH, it's just a configuration file
> setting, rather than a compile-time #ifdef, so doing it with
> IMAGE_FEATURES and a rootfs postprocess step sounds like a perfectly
> wholesome approach.
> 
> I agree that the current mechanism used by dropbear (applying patches
> based on IMAGE_FEATURES) is full of suck and should be changed, perhaps
> to something more akin to what openssh does.

Sounds good. I've created Yocto bug #2578 to look at fixing this in the manner 
you described.

Cheers,
Paul

Patch

diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config
index 4f9b626..175e8f3 100644
--- a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config
@@ -59,7 +59,7 @@  Protocol 2
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords yes
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
index 04fd6a9..ad62511 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -7,7 +7,7 @@  SECTION = "console/network"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
 
-PR = "r1"
+PR = "r2"
 
 DEPENDS = "zlib openssl"
 DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"