Re: Review for "PermitRootLogin without-password" change

To: debian-ssh@lists.debian.org
Subject: Re: Review for "PermitRootLogin without-password" change
From: Russ Allbery <rra@debian.org>
Date: Thu, 27 Mar 2014 10:40:16 -0700
Message-id: <[🔎] 87zjkbo7zz.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20140327160939.GA7274@riva.ucam.org> (Colin Watson's message of "Thu, 27 Mar 2014 16:09:39 +0000")
References: <[🔎] 20140320014833.GC32733@riva.ucam.org> <[🔎] 5br45qz57h.fsf@chiark.greenend.org.uk> <[🔎] 20140327160939.GA7274@riva.ucam.org>

Colin Watson <cjwatson@debian.org> writes:

> There are a number of plausible ways to go about that:

>  * put key in place via d-i preseed/late_command or similar (this is
>    already pretty common practice - I see it a *lot* in installation
>    reports)

We do this, but via FAI, and have been doing so for years.  At least if
you're using FAI, the original root password is effectively public to any
host that could potentially boot off of the FAI servers, since at the
point at which the system is being bootstrapped it usually can't
authenticate itself.  So public key is a natural fit for the security
model that you need.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Review for "PermitRootLogin without-password" change
  - From: Colin Watson <cjwatson@debian.org>
- Re: Review for "PermitRootLogin without-password" change
  - From: Matthew Vernon <matthewv@chiark.greenend.org.uk>
- Re: Review for "PermitRootLogin without-password" change
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#670491: Re: Bug#670491: ssh: Virtual servers
Next by Date: Processing of openssh_6.6p1-1_i386.changes
Previous by thread: Re: Review for "PermitRootLogin without-password" change
Next by thread: Bug#742308: openssh: [INTL:ru] Russian debconf templates translation
Index(es):
- Date
- Thread