Re: Allowing login via (serial) console by default
Hello,
I just subscribed to this list, sorry if I'm not exactly pertinent or up-
to-date...
On Mon, 2018-12-17 at 19:46 +0000, Jose Miguel Parrella Romero wrote:
> > No, we don't want a password. But we can have a null-password set,
> > which can be used from secure terminals, aka tty0 and ttyS0.
I've been using permanent login-less consoles in my LXC containers,
because it's very convenient. They actually launch 'getty -l bash ttyXX'
which bypasses the password issue. Thus from my point of view having a
login-less access is orthogonal to the root password question - and actually
I prefer root having no password (and thus no possible interactive login).
As of containers, the reasoning is : if I'm root on the host why shouldn't
I be root in the containers ? In my case I considered to be okay because 1/
those containers run my code (not my client's), I felt legitimate to sneak
into them from the host, 2/ it's not networked, it's a local tty thing with
a narrow security scope (either you're root on the host, either you're not).
I'm currently wondering if I could extend this idea to the cloud context.
I mean, when passing explicit console=hvc0 to the boot args, I'd like to
have a root shell attached to it when boot is done. As far as the VM creator
is the same person as the VM administrator (which I tend to consider the
major case in this devops era), I can't see any security issue. You create
the VM, you own it - its data and its fate.
I'm currently stuck with VMs with no root password (and where you can't
login thru the serial console, which had proven to be a problem for me in
some rescue operations), or with passwords which are inherently insecure as
soon as you have more than 3 people sharing them (rotating, full renew when
one collaborator leaves, updating powered off VMs, you name it).
I don't claim that would be a good default option in Debian cloud's
images, but I'd like it to be easily configured. And I wonder what other
cloud users think/practice...
Reply to: