Re: Review for "PermitRootLogin without-password" change
On Tue, Mar 25, 2014 at 03:08:18PM +0000, Matthew Vernon wrote:
> Colin Watson <cjwatson@debian.org> writes:
> > After (how can I put it) extensive and heated discussion over many
> > years, I intend to change sshd_config in new installations of
> > openssh-server to use "PermitRootLogin without-password" rather than
> > "PermitRootLogin yes".
>
> How are we going to deal with the bootstrapping problem? i.e. how are
> we expecting people to populate /root/.ssh/authorized_keys for new
> installs?
There are a number of plausible ways to go about that:
* go via the first user + sudo/su/etc.
* put key in place via d-i preseed/late_command or similar (this is
already pretty common practice - I see it a *lot* in installation
reports)
* put key in place via puppet or similar (rather like the last method
but more comprehensive)
* temporary console access
I'd expect at least one of those approaches to be available in virtually
all environments.
--
Colin Watson [cjwatson@debian.org]
Reply to: