Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sshd support #5

Closed
5 tasks done
Informatic opened this issue Apr 19, 2021 · 4 comments · Fixed by #19
Closed
5 tasks done

sshd support #5

Informatic opened this issue Apr 19, 2021 · 4 comments · Fixed by #19
Assignees
@Informatic
Labels
help wanted Extra attention is needed

Comments

@Informatic
Copy link
Member

Informatic commented Apr 19, 2021
edited
Loading

We are currently only supporting unauthenticated telnet-based remote access. We should prefer some safer solution by default - like SSH.

  • Bundle static dropbear sshd binary with the app
  • Figure out emergency situations (do we fall back to enabling telnetd in case homebrew channel gets removed, or do we copy over required binaries to some known location outside of /media/developer?)
  • Authentication bootstraping problem
    • We have no way of overlaying /etc/shadow to set some default root password for a user (yet) - can we make dropbear accept unauthenticated users unless authorized_keys has been populated?
  • Ensure this works well enough with ares-install and other SDK tools
@Informatic Informatic added the help wanted Extra attention is needed label Apr 19, 2021
@DavidBuchanan314
Copy link
Member

RE: authentication, could we just put this in our init script:

if [ ! -f /home/root/.ssh/authorized_keys ]; then 
  sed s/root:.:/root:xGVw8H4GqkKg6:/ /etc/shadow > /tmp/shadow
  chmod 400 /tmp/shadow
  mount --bind /tmp/shadow /etc/shadow
fi

i.e. if authorized_keys does not exist, set the root password to alpine via bind mount

@Informatic
Copy link
Member Author

Informatic commented Apr 20, 2021
edited
Loading

That makes sense.

If we put that shadowfile somewhere persistent (/var/luna/preferences/webosbrew_shadow?) we could also use it as a go-to solution for remote access for people inexperienced with ssh public key authentication. passwd should work as is with this setup, right?

Update: just realized this (persistence) is not a great idea, in case someone does a software update, as we don't have any guarantees regarding passwd/shadow not changing.

@Informatic
Copy link
Member Author

Initial dropbear integration is finished in 957d29f - UI is working, tools/build-dropbear.sh can be used to build a working customized dropbear sshd binary to be bundled with the application. Not sure how to distribute this - should we just commit the binary into the repo and call it a day?

Fully static builds seemed to fail to link when built with meta-lg-webos-ndk - not sure how to go about this, I don't have much practice with general subject of crosscompilation.

@Informatic Informatic mentioned this issue Apr 22, 2021
Closed
@Informatic Informatic self-assigned this Apr 22, 2021
@Informatic Informatic mentioned this issue Apr 23, 2021
Merged
@mariotaku
Copy link
Member

Fully static build may not work - IIRC the NDK I built doen't come with any archive files. Thus no way to static link with libc. But I think if crypto libraries could be statically linked, then it's good enough.

@Informatic Informatic mentioned this issue Apr 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Informatic Informatic

Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

startup: add shadow overlay with a default password webosbrew/webos-homebrew-channel
3 participants
@mariotaku @Informatic @DavidBuchanan314