Angstrom: Disable ssh server

gardarh · March 30, 2016, 9:28am

How can I disable the ssh server via Yocto build configuration?

Furthermore is there a list somewhere of the features that can be enabled/disabled from Angstrom?

brandon.tx · March 31, 2016, 12:18am

How can I disable the ssh server via Yocto build configuration?

Try adding the following to a recipe: SYSTEMD_AUTO_ENABLE_openssh-sshd = "disable".
You’ll probably also need to include: inherit systemd

Furthermore is there a list somewhere of the features that can be enabled/disabled from Angstrom?

Angstrom itself is a distro layer within the build system as well as a provider of binary packages to the image through its online package feeds. As far as DISTRO_FEATURES go, there are a number of common ones identified in the Yocto Project documentation. If you’re looking to add/remove DISTRO_FEATURES to/from Angstrom, start by having a look at the distro conf file ‘meta-angstrom/conf/distro/angstrom.conf’. Note that not all possible DISTRO_FEATURES will integrate well with Angstrom.

Beyond Angstrom & DISTRO_FEATURES, there is a plethora of other stuff that can be customized in the Yocto Project/OpenEmbedded-Core build system. The Yocto Project Documentation is good general resource. Unfortunately, the shear magnitude of customization possible in this framework means there isn’t a simple “list” of features to be enabled/disabled. But you can start by looking at some of the important high level variables that are used to construct an image, such as DISTRO & DISTRO_FEATURES, MACHINE & MACHINE_FEATURES, IMAGE_FEATURES, IMAGE_INSTALL, etc.

I also recommend checking out following webinars about the Yocto Project from Toradex:

gardarh · March 31, 2016, 10:10am

Thanks @brandon.shibley , these videos are a really good resource.

gardarh · April 1, 2016, 10:30am

openssh-ssd is added as a dependency of packagegroup-basic, see:

http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-core/packagegroups/packagegroup-basic.bb?h=jethro#n33

and

github.com

Angstrom-distribution/meta-angstrom/blob/angstrom-v2015.06-yocto1.8/conf/distro/angstrom-v2015.06.conf#L124


      
          PNBLACKLIST[gconf-dbus]        = "gconf-dbus has been merged back into main GConf"
          PNBLACKLIST[gconf-dbus-native] = "gconf-dbus has been merged back into main GConf"
          PNBLACKLIST[ffmpeg] = "libav is preferred over ffmpeg"
          PNBLACKLIST[bluez5] = "bluez4 is preferred over bluez5"
          
          
# Define splash before it gets set to empty in angstrom-core-tweaks.inc:
          SPLASH ?= ' ${@base_contains("MACHINE_FEATURES", "screen", "dietsplash", "",d)}'
          require conf/distro/include/angstrom.inc
          
          
# Prefer openssh over dropbear
          TASK_BASIC_SSHDAEMON = "openssh-ssh openssh-sshd openssh-scp openssh-sftp openssh-sftp-server"
          
          
# Toolchain virtuals:
          require conf/distro/include/toolchain-${TOOLCHAIN_TYPE}.inc
          # Processor specific tunes like hard float ABI
          include conf/distro/include/${TARGET_ARCH}-defaults.inc
          # Set DISTRO_FEED_CONFIGS to our config var, assigned in the above .inc
          DISTRO_FEED_CONFIGS = "${ANGSTROM_FEED_CONFIGS}"
          
          
# If we're using an .ipk based rootfs, we want to have opkg installed so postinst script can run
          # We also take this opportunity to inject angstrom-version and the feed configs into the rootfs

In turn my image (and Toradex images I believe) adds packagegroup-basic to IMAGE_INSTALL.

The first thing I tried was:

RDEPENDS_remove = "openssh-ssh openssh-sshd openssh-scp openssh-sftp openssh-sftp-server"

But appending _remove to RDEPENDS apparently does not work. So the (somewhat heavy-handed) solution I found was to copy packagegroup-basic.bb into my layer, modify its name and setting the following:

TASK_BASIC_SSHDAEMON = ""

I don’t love this solution, it would be interesting to see:

If there if there is a way to install the ssh server but make it disabled by default
If I can to modify the TASK_BASIC_SSHDAEMON from my own layer (copying files from upstream layers feels a bit messy)

But this solution worksforme™ .

gardarh · April 1, 2016, 10:31am

I’m sorry I had a false positive with this solution, it did not work for me. See my solution below.

kumar.lksp · April 11, 2017, 1:01pm

Please the add the following line into ./conf/local.conf file
PACKAGECONFIG_remove += “openssh”