[SailfishDevel] Developer mode: SSH config and devel-su

Graham Cobb g+jolla at cobb.uk.net
Sat Dec 28 12:20:33 UTC 2013 

On 28/12/13 12:01, David Greaves wrote:
> On 28/12/13 11:20, Graham Cobb wrote:
>> I would like to make a few changes to the login/auth setup for developer
>> mode on my phone, to make it more similar to the other embedded devices
>> I hack on.
...
> I'm not sure how future updates will handle manually changed config files but I
> think we should be OK.

Thanks for your response, David.  It would be nice if my changes were
preserved, of course, but at least these two particular changes will not
lock me out if they do get reverted.

> Note that the SDK does something similar and ssh'es in as nemo. It uses a
> password for the first-time key setup and thereafter just uses keys - so make
> sure you setup SDK access first for a simpler life.

Ah, thanks for that warning.

>> 2) Set "PermitRootLogin no" in sshd_config.  This disables direct SSH
>> access to the root account (allowing me to safely do the following step).
> 
> I just add a key to root's authorized_keys. 

That certainly works, but it is just not the way I have any of my other
systems set up.  I always disable root access and do everything via an
unpriv'd login and su.  So I don't plan to do that.

>> 5) Disable devel-su altogether.
>>
...
> devel-su is only installed in developer mode. However it's presence is a really
> good indicator of developer mode and I'd be cautious of deleting it.

My plan had been to remove the setuid bit.  But now plan to leave it
untouched.

>> I must admit I do not like the fact that the developer mode password is
>> displayed in the settings.  I realise that anyone with physical access
>> to the phone can get root access but I would prefer it to be a tiny bit
>> harder than just looking at the password in the settings.
> 
> It is not displayed if you set it to a value of your choosing :)

Hmm.  I had tried that before sending the post!!  But I obviously did
something wrong as it is now working as you describe (and as I had
expected, to be honest).

> It may be easier to simply alias su to devel-su in your bashrc.

Yes.  I will probably do something like that instead of steps 3-5 from
my original mail.

Thanks again.

More information about the Devel mailing list