Disabling root SSH login over network in Yocto

-
One of the security measures we can take in our Yocto Image is to avoid root user login over SSH. The SSH server which gets installed on the image with core-image-sato is 'dropbear'

To avoid root login over SSH, you need to remove 'debug-tweaks'
EXTRA_IMAGE_FEATURES=""
With 'debug-tweaks' option enabled, Yocto runs with dropbear with -B option.
-B Allow blank password logins

To avoid root login over SSH, we need to pass the following options to dropbear
-w Disallow root logins
-g Disable password logins for root

dropbear recipe is present in 'poky/meta/recipes-core/dropbear/'. The 'init' file present in dropbear folder is the script which runs on boot. We need to add '-wg' option in DROPBEAR_EXTRA_ARGS



To achieve this:
1. Create recipes-core folder if it doesn't exist in your layer
2. Inside that create dropbear folder
3. In it create files folder
4. Copy the original init file and update DROPBEAR_EXTRA_ARGS="-w -g"
5. In the dropbear folder, create a dropbear_%.bbappend with the following content:
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += "file://init"

Comments

  1. Unknown8 December 2020 at 06:59

    Is it really working? I tried it, and nothing changed, root is still able to connect via ssh

    ReplyDelete

Post a Comment

Popular posts from this blog

bb.utils.contains yocto

-
Image
bb.utils.contains  is most commonly used function in Yocto. grep in poky directory returned with 696 count. $ grep -nr 'bb.utils.contains' poky/ | wc -l 696 It's definition is present in 'poky/bitbake/lib/bb/utils.py' file This function returns third argument if the second argument is subset of the first argument else returns fourth argument Let's take an example to understand this. You can see from the above screenshot, when the second argument is a subset of first argument, "present" was returned, else "notpresent" was returned We can also use bb.utils.contains inside if loop. This we can use inside a recipe. if ${@bb.utils.contains('SOMEFLAG','NEWVALUE3','true','false',d)}; then     FOO = 'HELLO' fi
Read more

make config vs oldconfig vs defconfig vs menuconfig vs savedefconfig

-
Image
Building the Linux Kernel is a two-step process: Configuring the Kernel options Building the Kernel with those options. There are many methods available for configuring the kernel. make config: Text-based Configuration.  Options are prompted one after another. All options need to be answered Access to former options is not possible make menuconfig: Menu-driven user interface Allows to navigate forwards and backward directly between features Allows to load and save files with filenames different from ".config" Provides search feature It uses ncurses library for GUI. If the ncurses library is not installed, make menuconfig option fails. To install ncurses library on Ubuntu: sudo apt-get install libncurses5-dev make defconfig: Creates a ".config" file with default options from the ARCH supplied defconfig Configurations are generally stored in the directory: arch/$(ARCH)/configs $ ls arch/x86/configs/ i386_defconfi
Read more

PR, PN and PV Variable in Yocto

-
PN : Represents the name of the recipe. The name is usually extracted from the recipe file name. PR:  Represents the revision of the recipe. Default value for this revision is "r0". Subsequent revisions of the recipe conventionally will have "r1", "r2" and so on. PV:  Represents the version of the recipe. Normally extracted from the recipe file name. For example: ffmpeg_3.4.2.bb recipe. ${PN} : ffmpeg ${PV} : 3.4.2
Read more