[Openstack-devel] openstack-debian-images_0.1_amd64.changes REJECTED
Thomas Goirand
thomas at goirand.fr
Sat Jun 15 09:59:01 UTC 2013
On Sat Jun 15 2013 05:04:52 PM CST, Ansgar Burchardt <ansgar at debian.org> wrote:
> Hi,
>
> Thomas Goirand <zigo at debian.org> writes:
> > > chroot ${MOUNT_DIR} sh -c "echo root:password | chpasswd"
> > >
> > > Default root passwords are not good. There's no reason to do this.
> >
> > Hum... Let me give you a bit of context here.
> >
> > At the end, the image will be published possibly with the "--public"
> > flag, and everyone will be able to brute-force it. So setting-up a
> > random password doesn't really make sense.
> >
> > It's also to be noted that root ssh logins are disabled
> > (PermitRootLogin without-password in sshd_config), and that in the
> > context of such an image, the "debian" user would be setup by
> > cloud-init using the metadata server provided ssh key (using the
> > --key-name of "nova boot").
> >
> > The only use of the default password is if the user of the image wants
> > to use the Horizon (the OpenStack dashboard) web interface to login as
> > root. In this context, the user is already authenticated through
> > keystone. And then, the user would need to know the root password,
> > since no other user has a password defined (the "debian" user is
> > created with the "--disabled-password" option of adduser). It could
> > also be useful in the case of a single user mode after a failed FSCK
> > for example.
>
> Then don't set a root password. You effectively make *every* user
> equivalent to root as they can just use su.
>
> If people want or need a root password, they can set one themselves.
>
> Ansgar
Then how would a user login through the OpenStack
dashboard (Horizon) SPICE console?
Thomas (from my phone)
More information about the Openstack-devel
mailing list