From f2738c399dffe325b5add7b912d9562484f071e3 Mon Sep 17 00:00:00 2001 From: unitexe Date: Sat, 3 Jan 2026 15:23:38 -0600 Subject: Introduce core-image-unit - Add unitexe user - Configured for public key authentication SSH - Part of sudoers (via drop-in) so admin tasks can be performed - No root login via SSH or TTY allowed - TTY is restricted via PAM - Added misc. utilities --- .../openssh/openssh_%.bbappend | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend (limited to 'meta-unit-core/recipes-connectivity') diff --git a/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend b/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 0000000..d520f4a --- /dev/null +++ b/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,23 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +do_install:append () { + # Disable root login completely + sed -i -e 's:#PermitRootLogin.*:PermitRootLogin no:' ${D}${sysconfdir}/ssh/sshd_config + + # Enable public key authentication + sed -i -e 's:#PubkeyAuthentication yes:PubkeyAuthentication yes:' ${D}${sysconfdir}/ssh/sshd_config + + # Add global authorized_keys file to AuthorizedKeysFile + sed -i -e 's:^AuthorizedKeysFile.*:AuthorizedKeysFile\t.ssh/authorized_keys /etc/ssh/authorized_keys:' ${D}${sysconfdir}/ssh/sshd_config + + # Disable password authentication + sed -i -e 's:#PasswordAuthentication yes:PasswordAuthentication no:' ${D}${sysconfdir}/ssh/sshd_config + + # Explicitly disable empty passwords + sed -i -e 's:#PermitEmptyPasswords no:PermitEmptyPasswords no:' ${D}${sysconfdir}/ssh/sshd_config + + # Restrict SSH access to unitexe user only + echo "" >> ${D}${sysconfdir}/ssh/sshd_config + echo "# Allow only the unitexe user" >> ${D}${sysconfdir}/ssh/sshd_config + echo "AllowUsers unitexe" >> ${D}${sysconfdir}/ssh/sshd_config +} -- cgit v1.2.3