Dropbear -> Openssh: Why does it ask for a password now?

Question

I'm working on an embedded board (i.MX6) with a Yocto-based embedded Linux. So far I used Dropbear as SSH server. However, Dropbear doesn't provide an SFTP server, which I need. Therefore I switched from Dropbear to OpenSSH (built it from the standard Poky sources, and installed it via opkg).

However, since then I cannot login to the board via SSH anymore, because the server asks for a password, which I don't know. The only user is root, and it has no password configured (this is still true, because I can log in locally via RS232 without problems). Why does OpenSSH ask for a password? How can I remove that?

I thought that maybe there's a passphrase set in one of the private keys in /etc/ssh:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key

So I did ssh-keygen -p -f /etc/ssh/ssh_host_rsa_key respectively for each of them, but it didn't help.

This is the essential pieces of the sshd_config file:

# grep '^[^#]' /etc/ssh/sshd_config
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation sandbox # Default for new installations.
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
Subsystem       sftp    /usr/lib/openssh/sftp-server

Any ideas?

Answer 1

Are you sure that you have debug-tweaks in your IMAGE_FEATURES or EXTRA_IMAGE_FEATURES?

If so, the ROOTFS_POSTPROCESS_COMMAND should include ssh_allow_empty_password(); which in turns should set PermitEmptyPasswords yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config_readonly. That should allow you to use empty passwords with OpenSSH.

Answer 2

If you have "debug-tweaks" in your EXTRA_IMAGE_FEATURES then the password will be blank: this may be ok for development images.

If you want to have some security instead, you can either add a recipe that installs a public key to /root/.ssh/authorized_keys or use the extrausers class in an image recipe or local configuration to set the password.