[OE-core] [PATCH] openssh: allow root login when debug-tweaks is enabled
Saul Wold
sgw at linux.intel.com
Sat Sep 8 00:03:44 UTC 2012
On 09/07/2012 04:56 PM, Paul Eggleton wrote:
> On Friday 07 September 2012 11:17:29 Saul Wold wrote:
>> This allows root to login over ssh with an empty password just like
>> dropbear when the debug-tweaks are enabled, it's important to disable
>> debug-tweaks for a production system as this will leave open a security
>> hole!
>>
>> Thanks to Marc for the settings.
>> Cc: Marc Ferland <marc.ferland at gmail.com>
>>
>> [Yocto #3078]
>>
>> Signed-off-by: Saul Wold <sgw at linux.intel.com>
>> ---
>> meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 9 ++++++++-
>> 1 files changed, 8 insertions(+), 1 deletions(-)
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb index 31202d4..fcd082c
>> 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
>> @@ -7,7 +7,7 @@ SECTION = "console/network"
>> LICENSE = "BSD"
>> LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>>
>> -PR = "r3"
>> +PR = "r4"
>>
>> DEPENDS = "zlib openssl"
>> DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>> @@ -75,6 +75,13 @@ do_install_append () {
>> install -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
>> fi
>> done
>> + for i in ${IMAGE_FEATURES};
>> + do
>> + if [ ${i} = "debug-tweaks" ]; then
>> + sed -i -e "s/^#PermitRootLogin/PermitRootLogin/"
>> ${D}${sysconfdir}/ssh/sshd_config + sed -i -e "s/^#PermitEmptyPasswords
>> no/PermitEmptyPasswords yes/" ${D}${sysconfdir}/ssh/sshd_config + fi
>> + done
>> install -d ${D}${sysconfdir}/init.d
>> install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
>> rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
>
> I'm a bit confused by this because I thought this issue had already been
> solved. Unfortunately when I looked back I see the patch was never merged:
>
> http://patches.openembedded.org/patch/29693/
>
It was merged, I just augmented that allow_empty_passwd() with another 1
line sed to PermitRootLogin also.
> I agree with Phil, we really don't want to replicate dropbear's usage of
> IMAGE_FEATURES outside of image handling code - in fact there is a bug in the
> Yocto Project bugzilla (#2578) against me to remove this for dropbear.
>
Paul, I can have a crack at it if you want.
Sau!
> Cheers,
> Paul
>
More information about the Openembedded-core
mailing list