GUF-Yocto-jethro-9.0-r7707-0
i.MX6
User Manual
generating ssh ED25519 key...
Restarting OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 1108)
root@gufboardll:~# ll /etc/ssh/*key*
-rw-------
1 root
root
668 Sep 23 13:06 /etc/ssh/ssh_host_dsa_key
-rw-r--r--
1 root
root
607 Sep 23 13:06 /etc/ssh/ssh_host_dsa_key.
,!
pub
-rw-------
1 root
root
227 Sep 23 13:06 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--
1 root
root
179 Sep 23 13:06 /etc/ssh/ssh_host_ecdsa_key.
,!
pub
-rw-------
1 root
root
411 Sep 23 13:06 /etc/ssh/
,!
ssh_host_ed25519_key
-rw-r--r--
1 root
root
99 Sep 23 13:06 /etc/ssh/
,!
ssh_host_ed25519_key.pub
-rw-------
1 root
root
1675 Sep 23 13:06 /etc/ssh/ssh_host_rsa_key
-rw-r--r--
1 root
root
399 Sep 23 13:06 /etc/ssh/ssh_host_rsa_key.
,!
pub
root@gufboardll:~#
For more information see the official OpenSSH documentation. The ssh keys can also be used as replacement
for the password authentication of the remote user. Please see the official documention for this feature.
SFTP only with restricted folder visibility
Sometimes it is enough, when a remote user is able to download
log files or change config files in one specific folder. To reduce the security risk of a open remote service, it is
possible to restrict the ssh service access to the SFTP feature, locking the user into for example his home folder.
Folowing steps are needed for setup:
Create the user:
root@santaro:~# adduser service
Change the owner of his home directory to root (needed by sftp changeroot):
root@santaro:~# chown -R root:service
/home/service
Edit the ssh config:
root@santaro:~# /etc/ssh/sshd_config
In the config file, change the sftp subsystem:
# override default of no subsystems
# Subsystem
sftp
/usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
And append the following to the configuration:
Match User service
ChrootDirectory /home/service
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Now it is possible to use for example filezilla to access the device with the new user and its password but the root
folder shown in filezilla is the home folder on the device.
Note:
By default the user is also able to login using telnet or the serial console with access to the
complete root filesystem. If this is not desired, further configuration steps are needed.
4.1.4 Telnet service
The
telnet
service allows the user to log in on the target system.
17