[OE-core] how to *securely* do a remote install of an OE image?
Gary Thomas
gary at mlbassoc.com
Tue Feb 28 12:32:22 UTC 2017
On 2017-02-28 13:27, Patrick Ohly wrote:
> On Tue, 2017-02-28 at 05:28 -0500, Robert P. J. Day wrote:
>> my immediate reaction was to use SSH keys, where the
>> newly-installed system would require SSH logins, and would have to
>> match the corresponding private key.
>
> That would also be my preferred approach.
>
>> as an alternative, perhaps don't worry about such a situation, but
>> when the authorized user logs in for what is *supposed* to be the
>> first time, it will be flagged that someone else has already logged in
>> earlier, and a warning will be printed, "Previous login to root
>> detected, you have been compromised, please re-install!"
>
> Or, along the same lines, set an empty root password and force the user
> to set a password on the first login. There are ways to do that with
> PAM, but I don't have anything at hand.
>
>> i'm sure there are plenty of ways of doing this, anyone have any
>> pointers?
>
> For ssh keys, there's rootfsdebugfiles.bbclass. In local.conf:
>
> INHERIT += "rootfsdebugfiles"
> ROOTFS_DEBUG_FILES += "/home/pohly/.ssh/id_rsa.pub ${IMAGE_ROOTFS}/home/root/.ssh/authorized_keys ;"
>
> This copies my id_rsa.pub into authorized_keys and thus let's me log
> into images that I create via ssh.
>
Does this work for dropbear or only openssh?
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
More information about the Openembedded-core
mailing list