Introduce core-image-unit

- Add unitexe user
    - Configured for public key authentication SSH
    - Part of sudoers (via drop-in) so admin tasks can be performed
- No root login via SSH or TTY allowed
    - TTY is restricted via PAM
- Added misc. utilities

1 files changed, 23 insertions, 0 deletions

diff --git a/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend b/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..d520f4a
--- /dev/null
+++ b/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,23 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+do_install:append () {
+	# Disable root login completely
+	sed -i -e 's:#PermitRootLogin.*:PermitRootLogin no:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Enable public key authentication
+	sed -i -e 's:#PubkeyAuthentication yes:PubkeyAuthentication yes:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Add global authorized_keys file to AuthorizedKeysFile
+	sed -i -e 's:^AuthorizedKeysFile.*:AuthorizedKeysFile\t.ssh/authorized_keys /etc/ssh/authorized_keys:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Disable password authentication
+	sed -i -e 's:#PasswordAuthentication yes:PasswordAuthentication no:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Explicitly disable empty passwords
+	sed -i -e 's:#PermitEmptyPasswords no:PermitEmptyPasswords no:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Restrict SSH access to unitexe user only
+	echo "" >> ${D}${sysconfdir}/ssh/sshd_config
+	echo "# Allow only the unitexe user" >> ${D}${sysconfdir}/ssh/sshd_config
+	echo "AllowUsers unitexe" >> ${D}${sysconfdir}/ssh/sshd_config
+}