Openssh config change not working

cheesi · June 20, 2018, 10:36pm

I’m currently trying to apply an different openssh config to fix this issue: SSH | Toradex Developer Center

I have a custom layer and created the following file:

/mylayer/recipes-connectivity/openssh/openssh_%.bbappend

with the following content:

do_install_append () {
	sed -i -e 's:PermitEmptyPassword:#PermitEmptyPassword:' ${D}${sysconfdir}/ssh/sshd_config
}

After some tries, i did a build with bitbake -e openssh and saved the log. As I can see, my bbappend definitely got applied:

do_install() {
    autotools_do_install
	if [ "pam" ]; then
		install -D -m 0644 /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/sshd /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/image/etc/pam.d/sshd
		sed -i -e 's:#UsePAM no:UsePAM yes:' /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/image/etc/ssh/sshd_config
	fi

	# Many other instructions

	install -D -m 0755 /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/sshd_check_keys /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/image/usr/libexec/openssh/sshd_check_keys
    sed -i -e 's:^#UseDNS.*$:UseDNS no:g' /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/image/etc/ssh/sshd_config

    #my command
	sed -i -e 's:PermitEmptyPassword:#PermitEmptyPassword:' /home/christian/oe-core-2.8b2/build/tmp-glibc/work/cortexa9t2hf-neon-angstrom-linux-gnueabi/openssh/7.5p1-r0/image/etc/ssh/sshd_config
}

I also tested the sed command succesfully:

christian@Dev:~/Image_Deploy/Colibri-iMX6_Console-Image_2.8.2/rootfs/etc/ssh$ ls
moduli  ssh_config  sshd_config  sshd_config_readonly
christian@Dev:~/Image_Deploy/Colibri-iMX6_Console-Image_2.8.2/rootfs/etc/ssh$ cat sshd_config | grep PermitEmptyPasswords
PermitEmptyPasswords yes
christian@Dev:~/Image_Deploy/Colibri-iMX6_Console-Image_2.8.2/rootfs/etc/ssh$ sudo sed -i -e 's:PermitEmptyPassword:#PermitEmptyPassword:' sshd_config
christian@Dev:~/Image_Deploy/Colibri-iMX6_Console-Image_2.8.2/rootfs/etc/ssh$ cat sshd_config | grep PermitEmptyPasswords
#PermitEmptyPasswords yes

I had been experimenting for hours now, also tried to apply a complete sshd_config, but nothing works.

Any ideas?

Is there an other way we could apply this configuration change to our build system?

max.tx · June 21, 2018, 11:06am

Hi

I guess you have one of ‘debug-tweaks’, ‘allow-empty-password’ in IMAGE_FEATURES. Then ssh_allow_empty_password() gets executed which reverts what you have done.

To check the assumption you could:

bitbake openssh -fc package
bitbake openssh -c devshell

If …/package/etc/ssh/sshd_config contains your indented changes then the assumption is true and the file gets changed at image creation time.

Either

remove ‘debug-tweaks’ and ‘allow-empty-password’ from IMAGE_FEATURES and get whatever other side effects those settings have.

or

create a postinst function in your image recipe with your call to sed and append said function to the ROOTFS_POSTPROCESS_COMMAND variable so that your sed call is executed after the ssh_allow_empty_password() call.

or

[UNTESTED] define an empty ssh_allow_empty_password() in your image recipe. (In the hope that this overwrites the original one.

.

ssh_allow_empty_password() {
:
}

Max

cheesi · June 21, 2018, 11:27am

Hi Max!

Thanks for the quick response. I will check that later this evening, but your first assumption should be right. As far as I can remember, I didn’t removed the debug-tweaks.

BR Christian

cheesi · June 21, 2018, 5:11pm

Yeah, it was the debug-tweaks…

Big thanks to you for your help, i nearly lost my mind after 4 hours of trying to get that working and the solution is soooo easy