is there a way to use a keypair to ssh into the FX30?
We would also like to remove the auto-login feature, this is to prevent people from logging in and copying our app.
What is the best way to do so?
Hi @claudio.baldini ,
We have the similar topic matching with your request. Please refer to below for detail.
Thanks,
cheers @Donald we would also need to completely eliminate the possibility of logging to the device without the key-pair, so no user or root should be able to get into to device and to see/read/copy the binary.
I have also seen a possible problem and requirement to switch back to a different user before a firmware update:
IMPORTANT: Since the owner of /home/root is âappfwupdateServiceâ by default, for safety reasons you shoud switch back to this user and default permissions (755) before doing a firmware update.
We would need to remotely download the firmware and this may not be possible/easy to achieveâŚ
Hi @claudio.baldini ,
You can disable user logins by changing the dropbear configuration in /etc/default/dropbear
I recommend you build your own yocto image with the change applied within your workspace. If you manually modify the file, it will be present in the overlay and subject to being deleted upon factory reset via the pushbutton.
BR,
Chris
ok, we are using the system build with legato, so possibly I can modify it manually (/etc/default/dropbear), backup the file and then to implement it into my system to be downloaded to the target when I download the app to it?
Itâs not clear from your statement how to plan to implement the change.
Some options are:
- Add a recipe into a yocto workspace and build the full image, including your application
- Add the dropbear configuration within you Legato app (make sure you also restart dropbear)
- Manually perform the change which is subject to factory reset
BR,
Chris
I would like to implement the option 2. How can I configure dropbear from my app? Would u be able to point me out to any example?
now that I can build the source, is there any reference to option 1 so to add the login through key-pair and to disable the password login?
wonder if this was already discussed in a different post so I can start from there.
Hi @claudio.baldini,
Youâll have to do it in 2 steps:
- Install your authorized_keys into the root filesystem somewhere. You can create a recipe that looks something like this:
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += " \
file://authorized_keys \
"
do_install_append() {
install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
}
- Create a startup script to copy the authorized_keys to the /home/root/.ssh folder:
# copy authorized_keys
if [ ! -d /home/root/.ssh ]; then
mkdir -p /home/root/.ssh
fi
if [ ! -e /home/root/.ssh/authorized_keys ]; then
cp /etc/authorized_keys /home/root/.ssh/
fi
- Install your startup script from one of your recipes
do_install_append() {
install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh
[ -n "${D}" ] && OPT="-r ${D}" || OPT="-s"
update-rc.d $OPT -f myscript.sh remove
update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}
BR,
Chris
I have created a recipe âcustomsshâ in swi-linux-src/meta-swi/common/recipes-core/customssh/customssh_0.1.bb:
FILESEXTRAPATHS_prepend := â${THISDIR}/files:â
LICENSE=âMITâ
SRC_URI += "
file://authorized_keys
"
do_install_append() {
install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh
[ -n â${D}â ] && OPT="-r ${D}" || OPT="-s"
update-rc.d $OPT -f myscript.sh remove
update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}
in the âfilesâ folder I have copied the authorized_keys and my_script.sh
Compiled from source but it still seems going through the passwordâŚ
Hi @claudio.baldini,
When you ssh to your device, do you specify -i <your_public_key>?
BR,
Chris
should the recipe download the files to the target?
because I am checking the /etc and /etc/init.d folders and can`t see either the keys nor the scriptâŚ
I think you are missing myscript.sh in the SRC_URI
You can also verify your recipe is working properly by ensuring the files are installed into the target rfs here:
/build_bin/tmp/work/swi_mdm9x28_fx30-poky-linux-gnueabi/mdm9x28-image-minimal/1.0-r0.0/rootfs/etc
BR,
Chris
yeah, I had that fixed:
FILESEXTRAPATHS_prepend := â${THISDIR}/files:â
LICENSE = âmitâ
SRC_URI = âfile://authorized_keysâ
SRC_URI += âfile://myscript.shâ
do_install() {
install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh
[ -n â${D}â ] && OPT="-r ${D}" || OPT="-s"
update-rc.d $OPT -f myscript.sh remove
update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}
but can`t see the file in the directory you have mentioned.
swi-linux-src/build_bin/tmp/work/swi_mdm9x28_fx30-poky-linux-gnueabi/mdm9x28-image-minimal/1.0-r0.0/rootfs/etc
none of them, the myscript.sh should be inside the init.d but is not.
my recipe is placed in the:
swi-linux-src/meta-swi/common/recipes-core/customssh
where customssh is my recipe and the name is customerssh_0.1.bb is the name of bybitbake recipe
I can compile with no problem, but the files do not show upâŚ
Hi @claudio.baldini,
You can debug your recipe by checking itâs the temp folder in that is generated within the recipe workspace. In your case, it should be in:
build_bin/tmp/work/armv7a-neon-poky-linux-gnueabi/customssh/0.1_0/temp
Within the âtempâ folder, check the log.task_order to view the list of tasks that are run for your recipe.
If you donât see the do_install task, you may need to do an âaddtaskâ.
Also, you may need to change your recipe name to match the recipe folder.
BR,
Chris
@cchenry I canât find this folder, the recipe name (customssh_01.bb) is matching the folder (customssh), this has been added to the swi-linux-src/meta-swi/common/recipes-core folder.
The recipe is definitely built, as if I omit the license the built will fail, and if I specify the wrong filename I will get a warning.
However, after building the yocto image, I can`t see anything in the folder you have mentioned:
build_bin/tmp/work/armv7a-neon-poky-linux-gnueabi/customssh/0.1_0/temp
The customssh just doesnât exist.
Is the swi-linux-src/meta-swi/common/recipes-core the right folder where to place the recipe?
Hi @claudio.baldini,
You need to figure out why your recipe isnât being parsed.
Try running these commands:
make dev
bitbake-layers show-recipes
Then check if your recipe is listed. Itâs possible the conf file isnât parsing the same string type that matches the format of your recipe name.
You may need to modify the conf file or you could try moving it elsewhere.
BR,
Chris
@cchenry thanks, the recipe seems to be parsed properly:
customssh:
common 01
but after I have baked, it doesn`t show anywhere as running this command
swi-linux-src$ find . -name customssh
only returns the folder and the files
./swi-linux-src/meta-swi/common/recipes-core/customssh
./swi-linux-src/meta-swi/common/recipes-core/customssh/customssh_01.bb
@cchenry I have also tried to place the recipe in this folder, the recipe is listed if I use the command you have sent, but files and folders are still not created.
This is not top priority on our list but it would be nice to fix if we couldâŚ
@cchenry but I was wondering, even after we have implemented this, will this prevent from hard resetting the device with the RESET button and to specify a new login password?
I understand we can disable that functionality with an AT command, but then if we have any problem with the applications we have designed, how can we recover?
1 Like