Using key pair to ssh into FX30

is there a way to use a keypair to ssh into the FX30?
We would also like to remove the auto-login feature, this is to prevent people from logging in and copying our app.
What is the best way to do so?

Hi @claudio.baldini ,

We have the similar topic matching with your request. Please refer to below for detail.

Thanks,

cheers @Donald we would also need to completely eliminate the possibility of logging to the device without the key-pair, so no user or root should be able to get into to device and to see/read/copy the binary.

I have also seen a possible problem and requirement to switch back to a different user before a firmware update:
IMPORTANT: Since the owner of /home/root is ‘appfwupdateService’ by default, for safety reasons you shoud switch back to this user and default permissions (755) before doing a firmware update.

We would need to remotely download the firmware and this may not be possible/easy to achieve…

Hi @claudio.baldini ,
You can disable user logins by changing the dropbear configuration in /etc/default/dropbear

I recommend you build your own yocto image with the change applied within your workspace. If you manually modify the file, it will be present in the overlay and subject to being deleted upon factory reset via the pushbutton.

BR,
Chris

ok, we are using the system build with legato, so possibly I can modify it manually (/etc/default/dropbear), backup the file and then to implement it into my system to be downloaded to the target when I download the app to it?

It’s not clear from your statement how to plan to implement the change.

Some options are:

  1. Add a recipe into a yocto workspace and build the full image, including your application
  2. Add the dropbear configuration within you Legato app (make sure you also restart dropbear)
  3. Manually perform the change which is subject to factory reset

BR,
Chris

I would like to implement the option 2. How can I configure dropbear from my app? Would u be able to point me out to any example?

now that I can build the source, is there any reference to option 1 so to add the login through key-pair and to disable the password login?
wonder if this was already discussed in a different post so I can start from there.

Hi @claudio.baldini,
You’ll have to do it in 2 steps:

  1. Install your authorized_keys into the root filesystem somewhere. You can create a recipe that looks something like this:
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += " \
            file://authorized_keys \
           "

do_install_append() {
    install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
}

  1. Create a startup script to copy the authorized_keys to the /home/root/.ssh folder:
    # copy authorized_keys
    if [ ! -d /home/root/.ssh ]; then
        mkdir -p /home/root/.ssh
    fi

    if [ ! -e /home/root/.ssh/authorized_keys ]; then
        cp /etc/authorized_keys /home/root/.ssh/
    fi

  1. Install your startup script from one of your recipes
do_install_append() {
    install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh

    [ -n "${D}" ] && OPT="-r ${D}" || OPT="-s"
    update-rc.d $OPT -f myscript.sh remove
    update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}

BR,
Chris

I have created a recipe “customssh” in swi-linux-src/meta-swi/common/recipes-core/customssh/customssh_0.1.bb:

FILESEXTRAPATHS_prepend := “${THISDIR}/files:”
LICENSE=“MIT”

SRC_URI += "
file://authorized_keys
"

do_install_append() {
install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh
[ -n “${D}” ] && OPT="-r ${D}" || OPT="-s"
update-rc.d $OPT -f myscript.sh remove
update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}

in the “files” folder I have copied the authorized_keys and my_script.sh
Compiled from source but it still seems going through the password…

Hi @claudio.baldini,
When you ssh to your device, do you specify -i <your_public_key>?
BR,
Chris

should the recipe download the files to the target?
because I am checking the /etc and /etc/init.d folders and can`t see either the keys nor the script…

I think you are missing myscript.sh in the SRC_URI

You can also verify your recipe is working properly by ensuring the files are installed into the target rfs here:
/build_bin/tmp/work/swi_mdm9x28_fx30-poky-linux-gnueabi/mdm9x28-image-minimal/1.0-r0.0/rootfs/etc

BR,
Chris

yeah, I had that fixed:
FILESEXTRAPATHS_prepend := “${THISDIR}/files:”
LICENSE = “mit”

SRC_URI = “file://authorized_keys”
SRC_URI += “file://myscript.sh”
do_install() {
install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh
[ -n “${D}” ] && OPT="-r ${D}" || OPT="-s"
update-rc.d $OPT -f myscript.sh remove
update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}

but can`t see the file in the directory you have mentioned.
swi-linux-src/build_bin/tmp/work/swi_mdm9x28_fx30-poky-linux-gnueabi/mdm9x28-image-minimal/1.0-r0.0/rootfs/etc
none of them, the myscript.sh should be inside the init.d but is not.

my recipe is placed in the:
swi-linux-src/meta-swi/common/recipes-core/customssh
where customssh is my recipe and the name is customerssh_0.1.bb is the name of bybitbake recipe

I can compile with no problem, but the files do not show up…

Hi @claudio.baldini,

You can debug your recipe by checking it’s the temp folder in that is generated within the recipe workspace. In your case, it should be in:

build_bin/tmp/work/armv7a-neon-poky-linux-gnueabi/customssh/0.1_0/temp

Within the “temp” folder, check the log.task_order to view the list of tasks that are run for your recipe.

If you don’t see the do_install task, you may need to do an “addtask”.

Also, you may need to change your recipe name to match the recipe folder.

BR,
Chris

@cchenry I can’t find this folder, the recipe name (customssh_01.bb) is matching the folder (customssh), this has been added to the swi-linux-src/meta-swi/common/recipes-core folder.
The recipe is definitely built, as if I omit the license the built will fail, and if I specify the wrong filename I will get a warning.
However, after building the yocto image, I can`t see anything in the folder you have mentioned:
build_bin/tmp/work/armv7a-neon-poky-linux-gnueabi/customssh/0.1_0/temp

The customssh just doesn’t exist.

Is the swi-linux-src/meta-swi/common/recipes-core the right folder where to place the recipe?

Hi @claudio.baldini,
You need to figure out why your recipe isn’t being parsed.

Try running these commands:

make dev
bitbake-layers show-recipes

Then check if your recipe is listed. It’s possible the conf file isn’t parsing the same string type that matches the format of your recipe name.

You may need to modify the conf file or you could try moving it elsewhere.

BR,
Chris

@cchenry thanks, the recipe seems to be parsed properly:
customssh:
common 01

but after I have baked, it doesn`t show anywhere as running this command

swi-linux-src$ find . -name customssh

only returns the folder and the files

./swi-linux-src/meta-swi/common/recipes-core/customssh
./swi-linux-src/meta-swi/common/recipes-core/customssh/customssh_01.bb

@cchenry I have also tried to place the recipe in this folder, the recipe is listed if I use the command you have sent, but files and folders are still not created.
This is not top priority on our list but it would be nice to fix if we could…

@cchenry but I was wondering, even after we have implemented this, will this prevent from hard resetting the device with the RESET button and to specify a new login password?
I understand we can disable that functionality with an AT command, but then if we have any problem with the applications we have designed, how can we recover?