| Submitter | Martin Jansa |
|---|---|
| Date | Jan. 7, 2013, 11:15 a.m. |
| Message ID | <1357557340-28756-1-git-send-email-Martin.Jansa@gmail.com> |
| Download | mbox | patch |
| Permalink | /patch/42173/ |
| State | New |
| Headers | show |
Comments
On Mon, Jan 7, 2013 at 9:15 AM, Martin Jansa <martin.jansa@gmail.com> wrote: > * IMAGE_FEATURES are image specific, but dropbear recipe isn't > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to > IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE > to debug as expected, but if you add debug-tweaks only in > your-own-debug-image, then dropbear never sees debug-tweaks and > your-own-debug-image won't allow empty password login. > * best way would be to patch dropbear to enable empty password by > runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND > like openssh_allow_empty_password does, see > http://permalink.gmane.org/gmane.network.ssh.dropbear/845 > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> I just fail to see why to keep using DISTRO_TYPE in dropbear in this case. You could just always include the patch. Do you have any specific reason? -- Otavio Salvador O.S. Systems E-mail: otavio@ossystems.com.br http://www.ossystems.com.br Mobile: +55 53 9981-7854 http://projetos.ossystems.com.br
On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote: > * IMAGE_FEATURES are image specific, but dropbear recipe isn't > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to > IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE > to debug as expected, but if you add debug-tweaks only in > your-own-debug-image, then dropbear never sees debug-tweaks and > your-own-debug-image won't allow empty password login. > * best way would be to patch dropbear to enable empty password by > runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND > like openssh_allow_empty_password does, see > http://permalink.gmane.org/gmane.network.ssh.dropbear/845 > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> > --- > meta/recipes-core/dropbear/dropbear.inc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc > index aa313df..2c170c6 100644 > --- a/meta/recipes-core/dropbear/dropbear.inc > +++ b/meta/recipes-core/dropbear/dropbear.inc > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation" > HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" > SECTION = "console/network" > > -INC_PR = "r0" > +INC_PR = "r1" > > # some files are from other projects and have others license terms: > # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' > EXTRA_OECONF += "\ > ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}" > +DISTRO_TYPE ?= "debug" > > do_install() { > install -d ${D}${sysconfdir} \ How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in DISTRO_FEATURES? This would bring it more into line with the other places we do things like this. FWIW I agree this should ideally be runtime configured and we should really add an enhancement request to the bugzilla for that (or patches welcome). Cheers, Richard
On Mon, Jan 07, 2013 at 11:36:13AM +0000, Richard Purdie wrote: > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote: > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to > > IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE > > to debug as expected, but if you add debug-tweaks only in > > your-own-debug-image, then dropbear never sees debug-tweaks and > > your-own-debug-image won't allow empty password login. > > * best way would be to patch dropbear to enable empty password by > > runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND > > like openssh_allow_empty_password does, see > > http://permalink.gmane.org/gmane.network.ssh.dropbear/845 > > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> > > --- > > meta/recipes-core/dropbear/dropbear.inc | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc > > index aa313df..2c170c6 100644 > > --- a/meta/recipes-core/dropbear/dropbear.inc > > +++ b/meta/recipes-core/dropbear/dropbear.inc > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation" > > HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" > > SECTION = "console/network" > > > > -INC_PR = "r0" > > +INC_PR = "r1" > > > > # some files are from other projects and have others license terms: > > # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' > > EXTRA_OECONF += "\ > > ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" > > > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}" > > +DISTRO_TYPE ?= "debug" > > > > do_install() { > > install -d ${D}${sysconfdir} \ > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in > DISTRO_FEATURES? This would bring it more into line with the other > places we do things like this. Fine with me, I don't use dropbear, but I've spent some time to debug why drobear sometimes doesn't work as expected and shared this change just to make it more deterministic. I'm fine with debug-tweaks DISTRO_FEATURES but afaik it's first use and can be confusing with IMAGE_FEATURES with the same name, that's why I've kept DISTRO_TYPE which was used at least in OE-classic days. Cheers, > FWIW I agree this should ideally be runtime configured and we should > really add an enhancement request to the bugzilla for that (or patches > welcome).
On Monday 07 January 2013 11:36:13 Richard Purdie wrote: > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote: > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to > > > > IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE > > to debug as expected, but if you add debug-tweaks only in > > your-own-debug-image, then dropbear never sees debug-tweaks and > > your-own-debug-image won't allow empty password login. > > > > * best way would be to patch dropbear to enable empty password by > > > > runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND > > like openssh_allow_empty_password does, see > > http://permalink.gmane.org/gmane.network.ssh.dropbear/845 > > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> > > --- > > > > meta/recipes-core/dropbear/dropbear.inc | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644 > > --- a/meta/recipes-core/dropbear/dropbear.inc > > +++ b/meta/recipes-core/dropbear/dropbear.inc > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP > > implementation"> > > HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" > > SECTION = "console/network" > > > > -INC_PR = "r0" > > +INC_PR = "r1" > > > > # some files are from other projects and have others license terms: > > # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY > > > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> > > EXTRA_OECONF += "\ > > > > ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', > > '--disable-pam', d)}"> > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", > > "debug", "",d)}" +DISTRO_TYPE ?= "debug" > > > > do_install() { > > > > install -d ${D}${sysconfdir} \ > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in > DISTRO_FEATURES? This would bring it more into line with the other > places we do things like this. > > FWIW I agree this should ideally be runtime configured and we should > really add an enhancement request to the bugzilla for that (or patches > welcome). There's already a request open: https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578 I'd suggest leaving the current behaviour (poor as it may be) until that bug is fixed. Cheers, Paul
On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote: > On Monday 07 January 2013 11:36:13 Richard Purdie wrote: > > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote: > > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't > > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to > > > > > > IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE > > > to debug as expected, but if you add debug-tweaks only in > > > your-own-debug-image, then dropbear never sees debug-tweaks and > > > your-own-debug-image won't allow empty password login. > > > > > > * best way would be to patch dropbear to enable empty password by > > > > > > runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND > > > like openssh_allow_empty_password does, see > > > http://permalink.gmane.org/gmane.network.ssh.dropbear/845 > > > > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> > > > --- > > > > > > meta/recipes-core/dropbear/dropbear.inc | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc > > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644 > > > --- a/meta/recipes-core/dropbear/dropbear.inc > > > +++ b/meta/recipes-core/dropbear/dropbear.inc > > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP > > > implementation"> > > > HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" > > > SECTION = "console/network" > > > > > > -INC_PR = "r0" > > > +INC_PR = "r1" > > > > > > # some files are from other projects and have others license terms: > > > # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY > > > > > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 > > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> > > > EXTRA_OECONF += "\ > > > > > > ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', > > > '--disable-pam', d)}"> > > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", > > > "debug", "",d)}" +DISTRO_TYPE ?= "debug" > > > > > > do_install() { > > > > > > install -d ${D}${sysconfdir} \ > > > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in > > DISTRO_FEATURES? This would bring it more into line with the other > > places we do things like this. > > > > FWIW I agree this should ideally be runtime configured and we should > > really add an enhancement request to the bugzilla for that (or patches > > welcome). > > There's already a request open: > > https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578 > > I'd suggest leaving the current behaviour (poor as it may be) until that bug > is fixed. Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of currently build image and even with OEBasicHash I don't know which dropbear version will be used if I build 2 different images: bitbake foo-image foo-debug-image So changing it one way or another is IMHO improvement of current situation until that bug is fixed properly. Cheers,
On Mon, 2013-01-07 at 21:31 +0100, Martin Jansa wrote: > On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote: > > On Monday 07 January 2013 11:36:13 Richard Purdie wrote: > > > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote: > > > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't > > > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to > > > > > > > > IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE > > > > to debug as expected, but if you add debug-tweaks only in > > > > your-own-debug-image, then dropbear never sees debug-tweaks and > > > > your-own-debug-image won't allow empty password login. > > > > > > > > * best way would be to patch dropbear to enable empty password by > > > > > > > > runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND > > > > like openssh_allow_empty_password does, see > > > > http://permalink.gmane.org/gmane.network.ssh.dropbear/845 > > > > > > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> > > > > --- > > > > > > > > meta/recipes-core/dropbear/dropbear.inc | 4 ++-- > > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc > > > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644 > > > > --- a/meta/recipes-core/dropbear/dropbear.inc > > > > +++ b/meta/recipes-core/dropbear/dropbear.inc > > > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP > > > > implementation"> > > > > HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" > > > > SECTION = "console/network" > > > > > > > > -INC_PR = "r0" > > > > +INC_PR = "r1" > > > > > > > > # some files are from other projects and have others license terms: > > > > # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY > > > > > > > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 > > > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> > > > > EXTRA_OECONF += "\ > > > > > > > > ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', > > > > '--disable-pam', d)}"> > > > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", > > > > "debug", "",d)}" +DISTRO_TYPE ?= "debug" > > > > > > > > do_install() { > > > > > > > > install -d ${D}${sysconfdir} \ > > > > > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in > > > DISTRO_FEATURES? This would bring it more into line with the other > > > places we do things like this. > > > > > > FWIW I agree this should ideally be runtime configured and we should > > > really add an enhancement request to the bugzilla for that (or patches > > > welcome). > > > > There's already a request open: > > > > https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578 > > > > I'd suggest leaving the current behaviour (poor as it may be) until that bug > > is fixed. > > Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of > currently build image and even with OEBasicHash I don't know which > dropbear version will be used if I build 2 different images: > bitbake foo-image foo-debug-image > > So changing it one way or another is IMHO improvement of current > situation until that bug is fixed properly. Having looked into it more, the current situation is a complete mess and for something security sensitive like this, it *needs* to behave better. I just raised the priority of the task (medium+). Cheers, Richard
Patch
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation" HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" SECTION = "console/network" -INC_PR = "r0" +INC_PR = "r1" # some files are from other projects and have others license terms: # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' EXTRA_OECONF += "\ ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}" +DISTRO_TYPE ?= "debug" do_install() { install -d ${D}${sysconfdir} \
* IMAGE_FEATURES are image specific, but dropbear recipe isn't * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE to debug as expected, but if you add debug-tweaks only in your-own-debug-image, then dropbear never sees debug-tweaks and your-own-debug-image won't allow empty password login. * best way would be to patch dropbear to enable empty password by runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND like openssh_allow_empty_password does, see http://permalink.gmane.org/gmane.network.ssh.dropbear/845 Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> --- meta/recipes-core/dropbear/dropbear.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)