| Submitter | Paul Eggleton |
|---|---|
| Date | Jan. 16, 2013, 3:38 p.m. |
| Message ID | <d0ac33caf983e8a3eeb8c596587e9ae29c4edc88.1358350661.git.paul.eggleton@linux.intel.com> |
| Download | mbox | patch |
| Permalink | /patch/42719/ |
| State | New |
| Headers | show |
Comments
On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton < paul.eggleton@linux.intel.com> wrote: > + > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > + fi > } > Slightly concerned with this, in the potential case where a layer provides its own /etc/default/dropbear, this will blow it away entirely.
On Wednesday 16 January 2013 08:48:05 Chris Larson wrote: > On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton < > > paul.eggleton@linux.intel.com> wrote: > > + > > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > > + fi > > > > } > > Slightly concerned with this, in the potential case where a layer provides > its own /etc/default/dropbear, this will blow it away entirely. I already considered this, but interacting nicely with that situation given that the provided /etc/default/dropbear would likely be setting its own value of DROPBEAR_EXTRA_ARGS isn't going to be straightforward from a shell script... Cheers, Paul
On Wednesday 16 January 2013 15:51:59 Paul Eggleton wrote: > On Wednesday 16 January 2013 08:48:05 Chris Larson wrote: > > On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton < > > > > paul.eggleton@linux.intel.com> wrote: > > > + > > > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > > > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > > > + fi > > > > > > } > > > > Slightly concerned with this, in the potential case where a layer provides > > its own /etc/default/dropbear, this will blow it away entirely. > > I already considered this, but interacting nicely with that situation given > that the provided /etc/default/dropbear would likely be setting its own > value of DROPBEAR_EXTRA_ARGS isn't going to be straightforward from a shell > script... Scratch that, it's not too difficult. v3 on the way. Cheers, Paul
On Wed, Jan 16, 2013 at 03:38:13PM +0000, Paul Eggleton wrote: > Create a single postprocessing function that enables no-password logins > for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES, > changing its behaviour slightly: > * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so > that it still takes effect if these are installed by adding > dropbear/openssh to IMAGE_INSTALL. > * Enable it to be run from image.bbclass rather than core-image.bbclass > so that it works for images that are using the former. > > Second half of the fix for [YOCTO #2578]. > > Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> > --- > meta/classes/core-image.bbclass | 3 --- > meta/classes/image.bbclass | 10 ++++++++-- > 2 files changed, 8 insertions(+), 5 deletions(-) > > diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass > index 2e67018..e0f6dbb 100644 > --- a/meta/classes/core-image.bbclass > +++ b/meta/classes/core-image.bbclass > @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " > > # Zap the root password if debug-tweaks feature is not enabled > ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}' > -# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}' > - > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > index e494689..131958d 100644 > --- a/meta/classes/image.bbclass > +++ b/meta/classes/image.bbclass > @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES} > IMAGE_POSTPROCESS_COMMAND ?= "" > MACHINE_POSTPROCESS_COMMAND ?= "" > ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; " > +# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled > +ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "ssh_allow_empty_password; ", "",d)}' > > # some default locales > IMAGE_LINGUAS ?= "de-de fr-fr en-gb" > @@ -396,12 +398,16 @@ zap_root_password () { > mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd > } > > -# allow openssh accept login with empty password string > -openssh_allow_empty_password () { > +# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string > +ssh_allow_empty_password () { > if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then > sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config > sed -i 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config > fi > + > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear > + fi Can we use >> here? In case some distro layer provides own default/dropbear already? Or grep + >> if you fear of duplication of that line, probably should be using sed to add -B if DROPBEAR_EXTRA_ARGS line is already there without -B. Cheers,
On Wednesday 16 January 2013 17:40:38 Martin Jansa wrote: > On Wed, Jan 16, 2013 at 03:38:13PM +0000, Paul Eggleton wrote: > > Create a single postprocessing function that enables no-password logins > > for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES, > > changing its behaviour slightly: > > * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so > > > > that it still takes effect if these are installed by adding > > dropbear/openssh to IMAGE_INSTALL. > > > > * Enable it to be run from image.bbclass rather than core-image.bbclass > > > > so that it works for images that are using the former. > > > > Second half of the fix for [YOCTO #2578]. > > > > Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> > > --- > > > > meta/classes/core-image.bbclass | 3 --- > > meta/classes/image.bbclass | 10 ++++++++-- > > 2 files changed, 8 insertions(+), 5 deletions(-) > > > > diff --git a/meta/classes/core-image.bbclass > > b/meta/classes/core-image.bbclass index 2e67018..e0f6dbb 100644 > > --- a/meta/classes/core-image.bbclass > > +++ b/meta/classes/core-image.bbclass > > @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; > > "> > > # Zap the root password if debug-tweaks feature is not enabled > > ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", > > "debug-tweaks", "", "zap_root_password ; ",d)}'> > > -# Allow openssh accept empty password login if both debug-tweaks and > > ssh-server-openssh are enabled -ROOTFS_POSTPROCESS_COMMAND += > > '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", > > "openssh_allow_empty_password; ", "",d)}' - > > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > > index e494689..131958d 100644 > > --- a/meta/classes/image.bbclass > > +++ b/meta/classes/image.bbclass > > @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES} > > > > IMAGE_POSTPROCESS_COMMAND ?= "" > > MACHINE_POSTPROCESS_COMMAND ?= "" > > ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; " > > > > +# Allow dropbear/openssh to accept logins from accounts with an empty > > password string if debug-tweaks is enabled +ROOTFS_POSTPROCESS_COMMAND += > > '${@base_contains("IMAGE_FEATURES", "debug-tweaks", > > "ssh_allow_empty_password; ", "",d)}'> > > # some default locales > > IMAGE_LINGUAS ?= "de-de fr-fr en-gb" > > > > @@ -396,12 +398,16 @@ zap_root_password () { > > > > mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd > > > > } > > > > -# allow openssh accept login with empty password string > > -openssh_allow_empty_password () { > > +# allow dropbear/openssh to accept root logins and logins from accounts > > with an empty password string +ssh_allow_empty_password () { > > > > if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then > > > > sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' > > ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config sed -i > > 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' > > ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config> > > fi > > > > + > > + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then > > + echo 'DROPBEAR_EXTRA_ARGS="-B"' > > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear + fi > > Can we use >> here? In case some distro layer provides own > default/dropbear already? > > Or grep + >> if you fear of duplication of that line, probably > should be using sed to add -B if DROPBEAR_EXTRA_ARGS line is already > there without -B. Slightly ahead of you :) see discussion with Chris. Cheers, Paul
Patch
diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass index 2e67018..e0f6dbb 100644 --- a/meta/classes/core-image.bbclass +++ b/meta/classes/core-image.bbclass @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " # Zap the root password if debug-tweaks feature is not enabled ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}' -# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled -ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}' - diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index e494689..131958d 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES} IMAGE_POSTPROCESS_COMMAND ?= "" MACHINE_POSTPROCESS_COMMAND ?= "" ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; " +# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "ssh_allow_empty_password; ", "",d)}' # some default locales IMAGE_LINGUAS ?= "de-de fr-fr en-gb" @@ -396,12 +398,16 @@ zap_root_password () { mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd } -# allow openssh accept login with empty password string -openssh_allow_empty_password () { +# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string +ssh_allow_empty_password () { if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config sed -i 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config fi + + if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then + echo 'DROPBEAR_EXTRA_ARGS="-B"' > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear + fi } # Turn any symbolic /sbin/init link into a file
Create a single postprocessing function that enables no-password logins for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES, changing its behaviour slightly: * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so that it still takes effect if these are installed by adding dropbear/openssh to IMAGE_INSTALL. * Enable it to be run from image.bbclass rather than core-image.bbclass so that it works for images that are using the former. Second half of the fix for [YOCTO #2578]. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> --- meta/classes/core-image.bbclass | 3 --- meta/classes/image.bbclass | 10 ++++++++-- 2 files changed, 8 insertions(+), 5 deletions(-)