Re: [OE-core] [PATCH] openssh: allow root login when debug-tweaks is enabled

Fri, 07 Sep 2012 17:04:15 -0700 

On 09/07/2012 04:56 PM, Paul Eggleton wrote:

On Friday 07 September 2012 11:17:29 Saul Wold wrote:

This allows root to login over ssh with an empty password just like
dropbear when the debug-tweaks are enabled, it's important to disable
debug-tweaks for a production system as this will leave open a security
hole!

Thanks to Marc for the settings.
Cc: Marc Ferland <marc.ferl...@gmail.com>

[Yocto #3078]

Signed-off-by: Saul Wold <s...@linux.intel.com>
---
  meta/recipes-connectivity/openssh/openssh_6.0p1.bb |    9 ++++++++-
  1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb index 31202d4..fcd082c
100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -7,7 +7,7 @@ SECTION = "console/network"
  LICENSE = "BSD"
  LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"

-PR = "r3"
+PR = "r4"

  DEPENDS = "zlib openssl"
  DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -75,6 +75,13 @@ do_install_append () {
                        install -m 0755 ${WORKDIR}/sshd 
${D}${sysconfdir}/pam.d/sshd
                fi
        done
+       for i in ${IMAGE_FEATURES};
+       do
+               if [ ${i} = "debug-tweaks" ]; then
+                       sed -i -e "s/^#PermitRootLogin/PermitRootLogin/"
${D}${sysconfdir}/ssh/sshd_config +                     sed -i -e 
"s/^#PermitEmptyPasswords
no/PermitEmptyPasswords yes/" ${D}${sysconfdir}/ssh/sshd_config +          fi
+       done
        install -d ${D}${sysconfdir}/init.d
        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
        rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin


I'm a bit confused by this because I thought this issue had already been
solved. Unfortunately when I looked back I see the patch was never merged:

http://patches.openembedded.org/patch/29693/
It was merged, I just augmented that allow_empty_passwd() with another 1 line sed to PermitRootLogin also. 


I agree with Phil, we really don't want to replicate dropbear's usage of
IMAGE_FEATURES outside of image handling code - in fact there is a bug in the
Yocto Project bugzilla (#2578) against me to remove this for dropbear.


Paul, I can have a crack at it if you want.

Sau!


Cheers,
Paul



_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Reply via email to