Bug#425859: user-setup: Cannot preseed an installation with a locked (!) root password and no user account

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#425859: user-setup: Cannot preseed an installation with a locked (!) root password and no user account
From: Matthew Johnson <mjj29-debbug@srcf.ucam.org>
Date: Thu, 24 May 2007 16:29:05 +0100
Message-id: <[🔎] 20070524152905.28438.11419.reportbug@illythia.matthew.ath.cx>
Reply-to: Matthew Johnson <mjj29-debbug@srcf.ucam.org>, 425859@bugs.debian.org

Package: user-setup
Severity: minor


I have been trying to preseed config files for a set of servers we have
just bought. Since I do not want either the root password (even hashed)
in the config file or any user-interaction on these (headless) machines,
I would like to disable both the root password and not create a user.
Access is enabled by late_command which installs an ssh public key to
/root/.ssh/authorized_keys.

The documentation (at
http://www.debian.org/releases/stable/i386/apbs04.html.en) says:

   "The passwd/root-password-crypted and passwd/user-password-crypted
   variables can also be preseeded with ?!? as their value. In that
   case, the corresponding account is disabled. This may be convenient
   for the root account, provided of course that an alternative method
   is setup to allow administrative activities or root login (for
   instance by using SSH key authentication or sudo)"

However, a preseed file containing:
   d-i passwd/make-user boolean false
   d-i passwd/root-password-crypted string !
or:
   d-i passwd/make-user boolean false
   d-i passwd/root-login boolean false

still prompts for either the root password or creation of a user. This
would appear to be deliberate because user-setup-ask contains:

      db_get passwd/root-login
      if [ "$RET" = false ]; then
         # always make non-root user; this user will be able
         # to sudo to root
         db_set passwd/make-user true

and

         db_get passwd/root-password-crypted || true
         if ! test "$RET" || [ "x$RET" = "x!" ]; then
            # No preseed of the root password hash
            # we will prompt the user

This, however, is not what the documentation claims or what would be
useful in this case.

I have currently solved the problem by using the following preseed:

   d-i passwd/make-user boolean false
   d-i passwd/root-password-crypted string !!

but it would better if the actual implementation matched the
documentation and if the situation I would like were supported.

As an additional wishlist item; user-setup could do the preseeding of
ssh public keys for users or root itself and therefore explicitly
support this case. No patch yet; maybe if I have time.

Matt


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Reply to:

Prev by Date: Re: CCISS patch test
Next by Date: Re: Test results of partman with libparted1.8
Previous by thread: Bug#425843: partman-lvm: lowering priority to allow for entry of VG name does not work
Next by thread: NSLU2 and debian installer issues
Index(es):
- Date
- Thread