[Openstack-devel] openstack-debian-images_0.1_amd64.changes REJECTED
Ansgar Burchardt
ansgar at debian.org
Sat Jun 15 09:04:52 UTC 2013
Hi,
Thomas Goirand <zigo at debian.org> writes:
>> chroot ${MOUNT_DIR} sh -c "echo root:password | chpasswd"
>>
>> Default root passwords are not good. There's no reason to do this.
>
> Hum... Let me give you a bit of context here.
>
> At the end, the image will be published possibly with the "--public"
> flag, and everyone will be able to brute-force it. So setting-up a
> random password doesn't really make sense.
>
> It's also to be noted that root ssh logins are disabled (PermitRootLogin
> without-password in sshd_config), and that in the context of such an
> image, the "debian" user would be setup by cloud-init using the metadata
> server provided ssh key (using the --key-name of "nova boot").
>
> The only use of the default password is if the user of the image wants
> to use the Horizon (the OpenStack dashboard) web interface to login as
> root. In this context, the user is already authenticated through
> keystone. And then, the user would need to know the root password, since
> no other user has a password defined (the "debian" user is created with
> the "--disabled-password" option of adduser). It could also be useful in
> the case of a single user mode after a failed FSCK for example.
Then don't set a root password. You effectively make *every* user
equivalent to root as they can just use su.
If people want or need a root password, they can set one themselves.
Ansgar
More information about the Openstack-devel
mailing list