[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Review for "PermitRootLogin without-password" change

On Tue, Mar 25, 2014 at 03:08:18PM +0000, Matthew Vernon wrote:
> Colin Watson <cjwatson@debian.org> writes:
> > After (how can I put it) extensive and heated discussion over many
> > years, I intend to change sshd_config in new installations of
> > openssh-server to use "PermitRootLogin without-password" rather than
> > "PermitRootLogin yes".  
> 
> How are we going to deal with the bootstrapping problem? i.e. how are
> we expecting people to populate /root/.ssh/authorized_keys for new
> installs? 

There are a number of plausible ways to go about that:

 * go via the first user + sudo/su/etc.
 * put key in place via d-i preseed/late_command or similar (this is
   already pretty common practice - I see it a *lot* in installation
   reports)
 * put key in place via puppet or similar (rather like the last method
   but more comprehensive)
 * temporary console access

I'd expect at least one of those approaches to be available in virtually
all environments.

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: