diff --git a/meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend b/meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 0000000..66f085a --- /dev/null +++ b/meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,17 @@ +# meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend + +do_install:append() { + if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ]; then + install -d ${D}${sysconfdir}/ssh/sshd_config.d + cat > ${D}${sysconfdir}/ssh/sshd_config.d/10-disable-root.conf <<'EOF' +PermitRootLogin no +PasswordAuthentication yes +PermitEmptyPasswords yes +UsePAM no +EOF + fi +} + +# The file is only installed when the flag is "1", +# but it's safe to declare it in FILES regardless. +FILES:${PN}-sshd += "${sysconfdir}/ssh/sshd_config.d/10-disable-root.conf" diff --git a/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb b/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb new file mode 100644 index 0000000..3deb0cd --- /dev/null +++ b/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb @@ -0,0 +1,15 @@ +SUMMARY = "Create 'admin' user (UID 1000) with home directory" +DESCRIPTION = "Adds a non-root 'admin' user and /home/admin. Password is cleared at image time via EXTRA_USERS_PARAMS when EDGEOS_DISABLE_ROOT_SSH=1." +LICENSE = "CLOSED" +PR = "r0" + +inherit useradd + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "-u 1000 -d /home/admin -m -s /bin/bash admin" +FILES:${PN} += "/home/admin" + +do_install() { + install -d ${D}/home/admin + chown -R 1000:1000 ${D}/home/admin || true +} diff --git a/meta-edgeos/recipes-core/images/edgeos-image.bb b/meta-edgeos/recipes-core/images/edgeos-image.bb index 5ec7eda..86c36af 100644 --- a/meta-edgeos/recipes-core/images/edgeos-image.bb +++ b/meta-edgeos/recipes-core/images/edgeos-image.bb @@ -44,6 +44,15 @@ BUILDCFG_VARS += " \ # Disable WIC's automatic fstab updates WIC_CREATE_EXTRA_ARGS = "--no-fstab-update" +IMAGE_INSTALL += "${@bb.utils.contains('EDGEOS_DISABLE_ROOT_SSH', '1', 'edgeos-user', '', d)}" + +ROOTFS_POSTPROCESS_COMMAND += "edgeos_make_admin_nopass;" + +edgeos_make_admin_nopass () { + if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ] && [ -f ${IMAGE_ROOTFS}/etc/shadow ]; then + sed -i 's/^admin:[^:]*:/admin::/' ${IMAGE_ROOTFS}/etc/shadow || true + fi +} # Provider for 'hostname' required by avahi-daemon IMAGE_INSTALL:append = " inetutils-hostname"