On 09/07/2012 04:56 PM, Paul Eggleton wrote:
On Friday 07 September 2012 11:17:29 Saul Wold wrote:
This allows root to login over ssh with an empty password just like
dropbear when the debug-tweaks are enabled, it's important to disable
debug-tweaks for a production system as this will leave open a security
hole!
Thanks to Marc for the settings.
Cc: Marc Ferland <marc.ferl...@gmail.com>
[Yocto #3078]
Signed-off-by: Saul Wold <s...@linux.intel.com>
---
meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb index 31202d4..fcd082c
100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -7,7 +7,7 @@ SECTION = "console/network"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
-PR = "r3"
+PR = "r4"
DEPENDS = "zlib openssl"
DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -75,6 +75,13 @@ do_install_append () {
install -m 0755 ${WORKDIR}/sshd
${D}${sysconfdir}/pam.d/sshd
fi
done
+ for i in ${IMAGE_FEATURES};
+ do
+ if [ ${i} = "debug-tweaks" ]; then
+ sed -i -e "s/^#PermitRootLogin/PermitRootLogin/"
${D}${sysconfdir}/ssh/sshd_config + sed -i -e
"s/^#PermitEmptyPasswords
no/PermitEmptyPasswords yes/" ${D}${sysconfdir}/ssh/sshd_config + fi
+ done
install -d ${D}${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
I'm a bit confused by this because I thought this issue had already been
solved. Unfortunately when I looked back I see the patch was never merged:
http://patches.openembedded.org/patch/29693/
It was merged, I just augmented that allow_empty_passwd() with another 1
line sed to PermitRootLogin also.
I agree with Phil, we really don't want to replicate dropbear's usage of
IMAGE_FEATURES outside of image handling code - in fact there is a bug in the
Yocto Project bugzilla (#2578) against me to remove this for dropbear.
Paul, I can have a crack at it if you want.
Sau!
Cheers,
Paul
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core