1

I'm working on an embedded board (i.MX6) with a Yocto-based embedded Linux. So far I used Dropbear as SSH server. However, Dropbear doesn't provide an SFTP server, which I need. Therefore I switched from Dropbear to OpenSSH (built it from the standard Poky sources, and installed it via opkg).

However, since then I cannot login to the board via SSH anymore, because the server asks for a password, which I don't know. The only user is root, and it has no password configured (this is still true, because I can log in locally via RS232 without problems). Why does OpenSSH ask for a password? How can I remove that?

I thought that maybe there's a passphrase set in one of the private keys in /etc/ssh:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key

So I did ssh-keygen -p -f /etc/ssh/ssh_host_rsa_key respectively for each of them, but it didn't help.

This is the essential pieces of the sshd_config file:

# grep '^[^#]' /etc/ssh/sshd_config
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation sandbox # Default for new installations.
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
Subsystem       sftp    /usr/lib/openssh/sftp-server

Any ideas?

Georg P.
  • 2,785
  • 2
  • 27
  • 53

2 Answers2

3

Are you sure that you have debug-tweaks in your IMAGE_FEATURES or EXTRA_IMAGE_FEATURES?

If so, the ROOTFS_POSTPROCESS_COMMAND should include ssh_allow_empty_password(); which in turns should set PermitEmptyPasswords yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config_readonly. That should allow you to use empty passwords with OpenSSH.

Anders
  • 8,541
  • 1
  • 27
  • 34
  • Yes, I do have `EXTRA_IMAGE_FEATURES = "debug-tweaks"` in my conf/local.conf. But something else may have gone wrong with the installation, because `PermitEmptyPasswords yes` was not set. I set it now manually in both config files, and now it works. Thank you very much! – Georg P. May 23 '16 at 11:32
  • Ok, good! Could you try to force a re-generation of your image by running `bitbake -C rootfs ` and verify whether it works then? If it still doesn't work, something strange is going on. – Anders May 23 '16 at 11:47
  • Well, the thing is, that OpenSSH is not part of the base image, and hence it's also not included in the rootfs. I need it only for development purpose (because I temporarily need SFTP), so I just built it as an individual ipk package with bitbake and installed it with opkg. – Georg P. May 23 '16 at 12:09
  • Ah, that explains it. `debug-tweaks` in `IMAGE_FEATURES` does only influence the image creation step, and not individual packages. – Anders May 23 '16 at 12:11
  • I think `debug-tweaks` will remove password from console only. – Matthieu Aug 23 '18 at 20:43
1

If you have "debug-tweaks" in your EXTRA_IMAGE_FEATURES then the password will be blank: this may be ok for development images.

If you want to have some security instead, you can either add a recipe that installs a public key to /root/.ssh/authorized_keys or use the extrausers class in an image recipe or local configuration to set the password.

Jussi Kukkonen
  • 13,857
  • 1
  • 37
  • 54
  • Yes, I do have `debug-tweaks` set. It's only development stage, so no security is needed (or wanted) yet. Still, I don't understand why `ssh` asks me for a password. And what that password is... – Georg P. May 23 '16 at 11:05
  • 1
    I recommend having some level of security right up front. If it's baked in from the beginning, you won't have a hole you have to plug before the product ships. – J.D. Ray Jun 11 '16 at 14:19