[OE-core] how to *securely* do a remote install of an OE image?

[Patrick Ohly]

On Tue, 2017-02-28 at 05:28 -0500, Robert P. J. Day wrote:
>   my immediate reaction was to use SSH keys, where the
> newly-installed system would require SSH logins, and would have to
> match the corresponding private key.

That would also be my preferred approach.

>   as an alternative, perhaps don't worry about such a situation, but
> when the authorized user logs in for what is *supposed* to be the
> first time, it will be flagged that someone else has already logged in
> earlier, and a warning will be printed, "Previous login to root
> detected, you have been compromised, please re-install!"

Or, along the same lines, set an empty root password and force the user
to set a password on the first login. There are ways to do that with
PAM, but I don't have anything at hand.

>   i'm sure there are plenty of ways of doing this, anyone have any
> pointers?

For ssh keys, there's rootfsdebugfiles.bbclass. In local.conf:

INHERIT += "rootfsdebugfiles"
ROOTFS_DEBUG_FILES += "/home/pohly/.ssh/id_rsa.pub ${IMAGE_ROOTFS}/home/root/.ssh/authorized_keys ;"

This copies my id_rsa.pub into authorized_keys and thus let's me log
into images that I create via ssh.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.