Re: Best practices for tokens/passwords that can't be versioned


Alan
 

Thanks for the feedback.
This is a very interesting use case.
By default you want to allow ssh access for the developer who built
the image, cool :)

On Thu, Dec 13, 2018 at 2:59 PM Enrico Scholz
<enrico.scholz@...> wrote:

Alan Martinovic <alan.martinovic@...> writes:

am looking for opinions on how to deal with recipes that depend on file content
that can't be versioned.
For ssh public keys we use something like

https://github.com/sigma-embedded/meta-de.sigma-chemnitz/blob/thud/classes/elito-image.bbclass#L36-L44

e.g. we take it from ${HOME}/.config/oe (which is a little bit tricky to
expand).


And/or incliude local/side configuration by

https://gitlab.com/ensc-groups/bpi-router/BSP/blob/thud-next/build/conf/local.conf#L33-36

which in turn includes something from ~/.config/oe/

https://gitlab.com/ensc-groups/bpi-router/BSP/blob/thud-next/build/conf/local_bpi-router.bigo.ensc.de.conf#L9


i.e. The logging service on the embedded device needs to have a
certain private key
Note that including private keys in the image usually weakens security
because the key can be extracted more or less trivially.



Enrico
--
SIGMA Chemnitz GmbH Registergericht: Amtsgericht Chemnitz HRB 1750
Am Erlenwald 13 Geschaeftsfuehrer: Grit Freitag, Frank Pyritz
09128 Chemnitz

Join yocto@lists.yoctoproject.org to automatically receive all group messages.