From dc2e0cad82af9e5fb3822204bb3af91baecd72c4 Mon Sep 17 00:00:00 2001 From: StefanaHanc Date: Mon, 29 Sep 2025 17:44:47 +0300 Subject: [PATCH 1/3] images: add build-time option to disable root SSH access Introduce configuration variable EDGEOS_DISABLE_ROOT_SSH. When set to 1: - root login via SSH is disabled - 'admin' user is created with UID 1000 and empty password - edgeos-image includes edgeos-user automatically Default (0) keeps current behavior. Signed-off-by: StefanaHanc --- build/conf/local.conf | 55 +++++++++++++++++++ .../openssh/openssh_%.bbappend | 17 ++++++ .../edgeos-user/edgeos-user_1.0.bb | 12 ++++ .../recipes-core/images/edgeos-image.bb | 10 ++++ 4 files changed, 94 insertions(+) create mode 100644 build/conf/local.conf create mode 100644 meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend create mode 100644 meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb diff --git a/build/conf/local.conf b/build/conf/local.conf new file mode 100644 index 0000000..57e60e0 --- /dev/null +++ b/build/conf/local.conf @@ -0,0 +1,55 @@ +# EdgeOS Build Configuration Template +# +# This file is the template for local.conf used by bootstrap.sh +# to set up new build environments. + +# Target machine - Raspberry Pi 5 by default +MACHINE = "raspberrypi5" +# For emulation/testing: MACHINE = "qemux86-64" + +# EdgeOS distribution +DISTRO = "edgeos" + +# Package format and features +PACKAGE_CLASSES ?= "package_rpm" +EXTRA_IMAGE_FEATURES ?= "debug-tweaks ssh-server-openssh" + +# License acceptance for required components +LICENSE_FLAGS_ACCEPTED = "commercial synaptics-killswitch" + +# Build directories (shared across builds) +DL_DIR ?= "${TOPDIR}/../downloads" +SSTATE_DIR ?= "${TOPDIR}/../sstate-cache" +TMPDIR ?= "${TOPDIR}/tmp" + +# WIC image configuration for Raspberry Pi +WKS_FILE = "rpi-partuuid.wks" +WKS_FILE_DEPENDS += "gptfdisk" +IMAGE_FSTYPES:append = " wic wic.bmap" + +# Raspberry Pi specific configuration +DISABLE_RPI_BOOT_LOGO = "1" +DISABLE_SPLASH = "1" +DISABLE_OVERSCAN = "1" +ENABLE_DWC2_PERIPHERAL = "1" +RASPBERRYPI_CAMERA_V2 = "1" +RASPBERRYPI_CAMERA_V3 = "1" + +# EdgeOS feature flags +EDGEOS_DEBUG = "1" +EDGEOS_DEBUG_UART = "1" +EDGEOS_USB_GADGET = "1" +EDGEOS_PERSIST_JOURNAL_LOGS = "1" + +# EdgeOS branding configuration (can be overridden) +# EDGEOS_HOSTNAME = "edgeos-device" +# EDGEOS_BUILD_ID = "${DATETIME}" + +# Development settings (remove for production) +# Allows root login without password via SSH +EXTRA_IMAGE_FEATURES:append = " debug-tweaks" + +# Uncomment for production builds: +# EXTRA_IMAGE_FEATURES:remove = "debug-tweaks" +# EDGEOS_DEBUG = "0" +EDGEOS_DISABLE_ROOT_SSH = "1" \ No newline at end of file diff --git a/meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend b/meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 0000000..66f085a --- /dev/null +++ b/meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,17 @@ +# meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend + +do_install:append() { + if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ]; then + install -d ${D}${sysconfdir}/ssh/sshd_config.d + cat > ${D}${sysconfdir}/ssh/sshd_config.d/10-disable-root.conf <<'EOF' +PermitRootLogin no +PasswordAuthentication yes +PermitEmptyPasswords yes +UsePAM no +EOF + fi +} + +# The file is only installed when the flag is "1", +# but it's safe to declare it in FILES regardless. +FILES:${PN}-sshd += "${sysconfdir}/ssh/sshd_config.d/10-disable-root.conf" diff --git a/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb b/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb new file mode 100644 index 0000000..21b70f1 --- /dev/null +++ b/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb @@ -0,0 +1,12 @@ +LICENSE = "CLOSED" +PR = "r0" +inherit useradd + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "-u 1000 -d /home/admin -m -s /bin/bash admin" +FILES:${PN} += "/home/admin" + +do_install() { + install -d ${D}/home/admin + chown -R 1000:1000 ${D}/home/admin || true +} diff --git a/meta-edgeos/recipes-core/images/edgeos-image.bb b/meta-edgeos/recipes-core/images/edgeos-image.bb index d9ac5ad..7db76d0 100644 --- a/meta-edgeos/recipes-core/images/edgeos-image.bb +++ b/meta-edgeos/recipes-core/images/edgeos-image.bb @@ -39,3 +39,13 @@ BUILDCFG_VARS += " \ # Disable WIC's automatic fstab updates WIC_CREATE_EXTRA_ARGS = "--no-fstab-update" + +IMAGE_INSTALL += "${@bb.utils.contains('EDGEOS_DISABLE_ROOT_SSH', '1', 'edgeos-user', '', d)}" + +ROOTFS_POSTPROCESS_COMMAND += "edgeos_make_admin_nopass;" + +edgeos_make_admin_nopass () { + if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ] && [ -f ${IMAGE_ROOTFS}/etc/shadow ]; then + sed -i 's/^admin:[^:]*:/admin::/' ${IMAGE_ROOTFS}/etc/shadow || true + fi +} From 40abc730bc1a509efd384285e50bed8ec4bf00eb Mon Sep 17 00:00:00 2001 From: StefanaHanc <91799440+StefanaHanc@users.noreply.github.com> Date: Mon, 29 Sep 2025 20:51:07 +0300 Subject: [PATCH 2/3] Delete build/conf/local.conf conf: remove build/conf/local.conf (added by mistake) --- build/conf/local.conf | 55 ------------------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 build/conf/local.conf diff --git a/build/conf/local.conf b/build/conf/local.conf deleted file mode 100644 index 57e60e0..0000000 --- a/build/conf/local.conf +++ /dev/null @@ -1,55 +0,0 @@ -# EdgeOS Build Configuration Template -# -# This file is the template for local.conf used by bootstrap.sh -# to set up new build environments. - -# Target machine - Raspberry Pi 5 by default -MACHINE = "raspberrypi5" -# For emulation/testing: MACHINE = "qemux86-64" - -# EdgeOS distribution -DISTRO = "edgeos" - -# Package format and features -PACKAGE_CLASSES ?= "package_rpm" -EXTRA_IMAGE_FEATURES ?= "debug-tweaks ssh-server-openssh" - -# License acceptance for required components -LICENSE_FLAGS_ACCEPTED = "commercial synaptics-killswitch" - -# Build directories (shared across builds) -DL_DIR ?= "${TOPDIR}/../downloads" -SSTATE_DIR ?= "${TOPDIR}/../sstate-cache" -TMPDIR ?= "${TOPDIR}/tmp" - -# WIC image configuration for Raspberry Pi -WKS_FILE = "rpi-partuuid.wks" -WKS_FILE_DEPENDS += "gptfdisk" -IMAGE_FSTYPES:append = " wic wic.bmap" - -# Raspberry Pi specific configuration -DISABLE_RPI_BOOT_LOGO = "1" -DISABLE_SPLASH = "1" -DISABLE_OVERSCAN = "1" -ENABLE_DWC2_PERIPHERAL = "1" -RASPBERRYPI_CAMERA_V2 = "1" -RASPBERRYPI_CAMERA_V3 = "1" - -# EdgeOS feature flags -EDGEOS_DEBUG = "1" -EDGEOS_DEBUG_UART = "1" -EDGEOS_USB_GADGET = "1" -EDGEOS_PERSIST_JOURNAL_LOGS = "1" - -# EdgeOS branding configuration (can be overridden) -# EDGEOS_HOSTNAME = "edgeos-device" -# EDGEOS_BUILD_ID = "${DATETIME}" - -# Development settings (remove for production) -# Allows root login without password via SSH -EXTRA_IMAGE_FEATURES:append = " debug-tweaks" - -# Uncomment for production builds: -# EXTRA_IMAGE_FEATURES:remove = "debug-tweaks" -# EDGEOS_DEBUG = "0" -EDGEOS_DISABLE_ROOT_SSH = "1" \ No newline at end of file From e02257f3e445569de77d0e2d8e92be59405cb9ba Mon Sep 17 00:00:00 2001 From: StefanaHanc <91799440+StefanaHanc@users.noreply.github.com> Date: Mon, 29 Sep 2025 21:11:41 +0300 Subject: [PATCH 3/3] Update edgeos-user_1.0.bb edgeos-user: add SUMMARY and DESCRIPTION for recipe linter --- meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb b/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb index 21b70f1..3deb0cd 100644 --- a/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb +++ b/meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb @@ -1,5 +1,8 @@ +SUMMARY = "Create 'admin' user (UID 1000) with home directory" +DESCRIPTION = "Adds a non-root 'admin' user and /home/admin. Password is cleared at image time via EXTRA_USERS_PARAMS when EDGEOS_DISABLE_ROOT_SSH=1." LICENSE = "CLOSED" PR = "r0" + inherit useradd USERADD_PACKAGES = "${PN}"