Patchwork [v2,2/2] classes/image: improve debug-tweaks ssh server configuration

login
register
mail settings
Submitter Paul Eggleton
Date Jan. 16, 2013, 3:38 p.m.
Message ID <d0ac33caf983e8a3eeb8c596587e9ae29c4edc88.1358350661.git.paul.eggleton@linux.intel.com>
Download mbox | patch
Permalink /patch/42719/
State New
Headers show

Comments

Paul Eggleton - Jan. 16, 2013, 3:38 p.m.
Create a single postprocessing function that enables no-password logins
for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES,
changing its behaviour slightly:
* Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so
  that it still takes effect if these are installed by adding
  dropbear/openssh to IMAGE_INSTALL.
* Enable it to be run from image.bbclass rather than core-image.bbclass
  so that it works for images that are using the former.

Second half of the fix for [YOCTO #2578].

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
 meta/classes/core-image.bbclass |    3 ---
 meta/classes/image.bbclass      |   10 ++++++++--
 2 files changed, 8 insertions(+), 5 deletions(-)
Chris Larson - Jan. 16, 2013, 3:48 p.m.
On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton <
paul.eggleton@linux.intel.com> wrote:

> +
> +       if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
> +               echo 'DROPBEAR_EXTRA_ARGS="-B"' >
> ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
> +       fi
>  }
>

Slightly concerned with this, in the potential case where a layer provides
its own /etc/default/dropbear, this will blow it away entirely.
Paul Eggleton - Jan. 16, 2013, 3:51 p.m.
On Wednesday 16 January 2013 08:48:05 Chris Larson wrote:
> On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton <
> 
> paul.eggleton@linux.intel.com> wrote:
> > +
> > +       if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
> > +               echo 'DROPBEAR_EXTRA_ARGS="-B"' >
> > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
> > +       fi
> > 
> >  }
> 
> Slightly concerned with this, in the potential case where a layer provides
> its own /etc/default/dropbear, this will blow it away entirely.

I already considered this, but interacting nicely with that situation given 
that the provided /etc/default/dropbear would likely be setting its own value 
of DROPBEAR_EXTRA_ARGS isn't going to be straightforward from a shell 
script...

Cheers,
Paul
Paul Eggleton - Jan. 16, 2013, 4:39 p.m.
On Wednesday 16 January 2013 15:51:59 Paul Eggleton wrote:
> On Wednesday 16 January 2013 08:48:05 Chris Larson wrote:
> > On Wed, Jan 16, 2013 at 8:38 AM, Paul Eggleton <
> > 
> > paul.eggleton@linux.intel.com> wrote:
> > > +
> > > +       if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
> > > +               echo 'DROPBEAR_EXTRA_ARGS="-B"' >
> > > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
> > > +       fi
> > > 
> > >  }
> > 
> > Slightly concerned with this, in the potential case where a layer provides
> > its own /etc/default/dropbear, this will blow it away entirely.
> 
> I already considered this, but interacting nicely with that situation given
> that the provided /etc/default/dropbear would likely be setting its own
> value of DROPBEAR_EXTRA_ARGS isn't going to be straightforward from a shell
> script...

Scratch that, it's not too difficult. v3 on the way.

Cheers,
Paul
Martin Jansa - Jan. 16, 2013, 4:40 p.m.
On Wed, Jan 16, 2013 at 03:38:13PM +0000, Paul Eggleton wrote:
> Create a single postprocessing function that enables no-password logins
> for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES,
> changing its behaviour slightly:
> * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so
>   that it still takes effect if these are installed by adding
>   dropbear/openssh to IMAGE_INSTALL.
> * Enable it to be run from image.bbclass rather than core-image.bbclass
>   so that it works for images that are using the former.
> 
> Second half of the fix for [YOCTO #2578].
> 
> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
> ---
>  meta/classes/core-image.bbclass |    3 ---
>  meta/classes/image.bbclass      |   10 ++++++++--
>  2 files changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
> index 2e67018..e0f6dbb 100644
> --- a/meta/classes/core-image.bbclass
> +++ b/meta/classes/core-image.bbclass
> @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
>  
>  # Zap the root password if debug-tweaks feature is not enabled
>  ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}'
> -# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled
> -ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}'
> -
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index e494689..131958d 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES}
>  IMAGE_POSTPROCESS_COMMAND ?= ""
>  MACHINE_POSTPROCESS_COMMAND ?= ""
>  ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; "
> +# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled
> +ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "ssh_allow_empty_password; ", "",d)}'
>  
>  # some default locales
>  IMAGE_LINGUAS ?= "de-de fr-fr en-gb"
> @@ -396,12 +398,16 @@ zap_root_password () {
>  	mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
>  } 
>  
> -# allow openssh accept login with empty password string
> -openssh_allow_empty_password () {
> +# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string
> +ssh_allow_empty_password () {
>  	if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
>  		sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
>  		sed -i 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
>  	fi
> +
> +	if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
> +		echo 'DROPBEAR_EXTRA_ARGS="-B"' > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
> +	fi

Can we use >> here? In case some distro layer provides own
default/dropbear already?

Or grep + >> if you fear of duplication of that line, probably 
should be using sed to add -B if DROPBEAR_EXTRA_ARGS line is already
there without -B.

Cheers,
Paul Eggleton - Jan. 16, 2013, 4:56 p.m.
On Wednesday 16 January 2013 17:40:38 Martin Jansa wrote:
> On Wed, Jan 16, 2013 at 03:38:13PM +0000, Paul Eggleton wrote:
> > Create a single postprocessing function that enables no-password logins
> > for both openssh and dropbear when debug-tweaks is in IMAGE_FEATURES,
> > changing its behaviour slightly:
> > * Run it regardless of whether ssh-server-* are in IMAGE_FEATURES so
> > 
> >   that it still takes effect if these are installed by adding
> >   dropbear/openssh to IMAGE_INSTALL.
> > 
> > * Enable it to be run from image.bbclass rather than core-image.bbclass
> > 
> >   so that it works for images that are using the former.
> > 
> > Second half of the fix for [YOCTO #2578].
> > 
> > Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
> > ---
> > 
> >  meta/classes/core-image.bbclass |    3 ---
> >  meta/classes/image.bbclass      |   10 ++++++++--
> >  2 files changed, 8 insertions(+), 5 deletions(-)
> > 
> > diff --git a/meta/classes/core-image.bbclass
> > b/meta/classes/core-image.bbclass index 2e67018..e0f6dbb 100644
> > --- a/meta/classes/core-image.bbclass
> > +++ b/meta/classes/core-image.bbclass
> > @@ -76,6 +76,3 @@ ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ;
> > "> 
> >  # Zap the root password if debug-tweaks feature is not enabled
> >  ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES",
> >  "debug-tweaks", "", "zap_root_password ; ",d)}'> 
> > -# Allow openssh accept empty password login if both debug-tweaks and
> > ssh-server-openssh are enabled -ROOTFS_POSTPROCESS_COMMAND +=
> > '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh",
> > "openssh_allow_empty_password; ", "",d)}' -
> > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> > index e494689..131958d 100644
> > --- a/meta/classes/image.bbclass
> > +++ b/meta/classes/image.bbclass
> > @@ -167,6 +167,8 @@ inherit ${IMAGE_CLASSES}
> > 
> >  IMAGE_POSTPROCESS_COMMAND ?= ""
> >  MACHINE_POSTPROCESS_COMMAND ?= ""
> >  ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; "
> > 
> > +# Allow dropbear/openssh to accept logins from accounts with an empty
> > password string if debug-tweaks is enabled +ROOTFS_POSTPROCESS_COMMAND +=
> > '${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > "ssh_allow_empty_password; ", "",d)}'> 
> >  # some default locales
> >  IMAGE_LINGUAS ?= "de-de fr-fr en-gb"
> > 
> > @@ -396,12 +398,16 @@ zap_root_password () {
> > 
> >  	mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
> >  
> >  }
> > 
> > -# allow openssh accept login with empty password string
> > -openssh_allow_empty_password () {
> > +# allow dropbear/openssh to accept root logins and logins from accounts
> > with an empty password string +ssh_allow_empty_password () {
> > 
> >  	if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
> >  	
> >  		sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#'
> >  		${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config sed -i
> >  		's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#'
> >  		${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config>  	
> >  	fi
> > 
> > +
> > +	if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
> > +		echo 'DROPBEAR_EXTRA_ARGS="-B"' >
> > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear +	fi
> 
> Can we use >> here? In case some distro layer provides own
> default/dropbear already?
> 
> Or grep + >> if you fear of duplication of that line, probably
> should be using sed to add -B if DROPBEAR_EXTRA_ARGS line is already
> there without -B.

Slightly ahead of you :) see discussion with Chris.

Cheers,
Paul

Patch

diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
index 2e67018..e0f6dbb 100644
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -76,6 +76,3 @@  ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
 
 # Zap the root password if debug-tweaks feature is not enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}'
-# Allow openssh accept empty password login if both debug-tweaks and ssh-server-openssh are enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks ssh-server-openssh", "openssh_allow_empty_password; ", "",d)}'
-
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index e494689..131958d 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -167,6 +167,8 @@  inherit ${IMAGE_CLASSES}
 IMAGE_POSTPROCESS_COMMAND ?= ""
 MACHINE_POSTPROCESS_COMMAND ?= ""
 ROOTFS_POSTPROCESS_COMMAND_prepend = "run_intercept_scriptlets; "
+# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks is enabled
+ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "ssh_allow_empty_password; ", "",d)}'
 
 # some default locales
 IMAGE_LINGUAS ?= "de-de fr-fr en-gb"
@@ -396,12 +398,16 @@  zap_root_password () {
 	mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
 } 
 
-# allow openssh accept login with empty password string
-openssh_allow_empty_password () {
+# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string
+ssh_allow_empty_password () {
 	if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
 		sed -i 's#.*PermitRootLogin.*#PermitRootLogin yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
 		sed -i 's#.*PermitEmptyPasswords.*#PermitEmptyPasswords yes#' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
 	fi
+
+	if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
+		echo 'DROPBEAR_EXTRA_ARGS="-B"' > ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
+	fi
 }
 
 # Turn any symbolic /sbin/init link into a file