On Tue, 2017-02-28 at 05:28 -0500, Robert P. J. Day wrote: > my immediate reaction was to use SSH keys, where the > newly-installed system would require SSH logins, and would have to > match the corresponding private key.
That would also be my preferred approach. > as an alternative, perhaps don't worry about such a situation, but > when the authorized user logs in for what is *supposed* to be the > first time, it will be flagged that someone else has already logged in > earlier, and a warning will be printed, "Previous login to root > detected, you have been compromised, please re-install!" Or, along the same lines, set an empty root password and force the user to set a password on the first login. There are ways to do that with PAM, but I don't have anything at hand. > i'm sure there are plenty of ways of doing this, anyone have any > pointers? For ssh keys, there's rootfsdebugfiles.bbclass. In local.conf: INHERIT += "rootfsdebugfiles" ROOTFS_DEBUG_FILES += "/home/pohly/.ssh/id_rsa.pub ${IMAGE_ROOTFS}/home/root/.ssh/authorized_keys ;" This copies my id_rsa.pub into authorized_keys and thus let's me log into images that I create via ssh. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core