The specific application is around complete replacement of
dropbear with OpenSSH in the firmware.
To allow login after a clean flash or in failsafe mode,
sshd_config needs to allow root login without password as one approach. OpenSSH should, by default, block root login in all other modes. My thoughts were to put a "scary" permissive
sshd_config on the squashfs image that would be overlaid by the "stock" and relatively safe one in normal operation, without a user having to create one. A couple of other files might be in the same category, such as
This approach is attractive to me as this would keep the image consistent with other OpenWRT images when running in failsafe mode.
I'm familiar with how to add files to the squashfs image
but would like to additionally add a file to the initial overlay file system.
If it isn't straightforward to add files to the overlay, I've also thought of enabling a "recovery" user in the firmware, as long as
sudo is also in the image and they are granted privilege to use it.
There are a couple hints in the make files such as
include/package-ipkg.mk: ifdef Package/$(1)/install-overlay
but I haven't found any documentation on it yet.