Using key pair to ssh into FX30

is there a way to use a keypair to ssh into the FX30?
We would also like to remove the auto-login feature, this is to prevent people from logging in and copying our app.
What is the best way to do so?

Hi @claudio.baldini ,

We have the similar topic matching with your request. Please refer to below for detail.

Thanks,

cheers @Donald we would also need to completely eliminate the possibility of logging to the device without the key-pair, so no user or root should be able to get into to device and to see/read/copy the binary.

I have also seen a possible problem and requirement to switch back to a different user before a firmware update:
IMPORTANT: Since the owner of /home/root is ‘appfwupdateService’ by default, for safety reasons you shoud switch back to this user and default permissions (755) before doing a firmware update.

We would need to remotely download the firmware and this may not be possible/easy to achieve…

Hi @claudio.baldini ,
You can disable user logins by changing the dropbear configuration in /etc/default/dropbear

I recommend you build your own yocto image with the change applied within your workspace. If you manually modify the file, it will be present in the overlay and subject to being deleted upon factory reset via the pushbutton.

BR,
Chris

ok, we are using the system build with legato, so possibly I can modify it manually (/etc/default/dropbear), backup the file and then to implement it into my system to be downloaded to the target when I download the app to it?

It’s not clear from your statement how to plan to implement the change.

Some options are:

  1. Add a recipe into a yocto workspace and build the full image, including your application
  2. Add the dropbear configuration within you Legato app (make sure you also restart dropbear)
  3. Manually perform the change which is subject to factory reset

BR,
Chris

I would like to implement the option 2. How can I configure dropbear from my app? Would u be able to point me out to any example?

now that I can build the source, is there any reference to option 1 so to add the login through key-pair and to disable the password login?
wonder if this was already discussed in a different post so I can start from there.

Hi @claudio.baldini,
You’ll have to do it in 2 steps:

  1. Install your authorized_keys into the root filesystem somewhere. You can create a recipe that looks something like this:
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += " \
            file://authorized_keys \
           "

do_install_append() {
    install -m 0755 ${WORKDIR}/authorized_keys -D ${D}/${sysconfdir}/authorized_keys
}

  1. Create a startup script to copy the authorized_keys to the /home/root/.ssh folder:
    # copy authorized_keys
    if [ ! -d /home/root/.ssh ]; then
        mkdir -p /home/root/.ssh
    fi

    if [ ! -e /home/root/.ssh/authorized_keys ]; then
        cp /etc/authorized_keys /home/root/.ssh/
    fi

  1. Install your startup script from one of your recipes
do_install_append() {
    install -m 0755 ${WORKDIR}/myscript.sh -D ${D}${sysconfdir}/init.d/myscript.sh

    [ -n "${D}" ] && OPT="-r ${D}" || OPT="-s"
    update-rc.d $OPT -f myscript.sh remove
    update-rc.d $OPT myscript.sh start 60 S . stop 60 S .
}

BR,
Chris