[Buildroot] [RFC] openssh: add option to allow login as root
Peter Korsgaard
peter at korsgaard.com
Wed Mar 20 08:58:11 UTC 2019
>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:
Hi,
>> We discussed it tonight on IRC and didn't really get to a good compromise.
>>
>> On one hand, we prefer to stick with upstream defaults (especially when
>> security is involved)
> This patch doesn't change the defaults.
No, but the discussion on IRC included talking about if there should be
an option or if we should unconditionally allow/disallow root logins.
>> We prefer to not add configuration options for these kind of
>> detailed policy decisions,
> *That* is the crux of the matter. We normally only have configurability of
> compile-time options, and assume that anything else is handled in post-build
> scripts. The (only?) exception to that principle is the system menu.
> So *maybe* something global in the system menu could work, and then dropbear
> and openssh and whatnot would do whatever is needed to permit/disallow root
> login for that particular package. But I'm not exactly ecstatic about that option.
Me neither.
>> as openssh has a LOT of other configuration
>> options
> True, but permitting root login is clearly one that is a lot more
> important/relevant than all the others. Currently, the typical user will naively
> enable openssh, then try to ssh into the device, and fail...
Correct. It will also fail for dropbear as the root user by default does
not have a password set.
>> So all in all, this kind of policy tweaks are better done in a post
>> build script.
> In the few projects where I've seen openssh used, it was always with a custom
> config file. Otherwise, there's not much reason to use openssh instead of
> dropbear I guess.
Indeed. I always use dropbear as well.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list