package: shadow severity: wishlist Hi,
I would like to be able (post sarge :) to preseed (with d-i) disabled passwords. So I could disable the root account and pull user data from ldap or with ssh's authorized_keys. Some log bits from our discussion on #debian-boot <h01ger> bubulle: i'm strictly against asking for passwords only once. How to detect typos that way ? There is no way so people will choose passwords like "mate" or "123" :-( If you ask for passwords, you have to confirm them. For critical installation mode, $disabled as a password would be much more handy :) <bubulle> As shadow maintainer now (sigh), I will implement what is judged as most appropriate by the d-i team, as this feature is only used during installs <bubulle> sam for the groups the first created user should belong too (I *will* deal with that post-sarge...but, again, after taking opinions from either the d-i team, or the technical comitee, or by starting a flamew^W discussion in -devel <aba> bubulle: well, a nice thing would be to allow to not set any root pw ... <bubulle> aba: you mean, disable it as h01ger suggested? <h01ger> bubulle: you might even argue that it's a debian decision. as "ergonomic user interfaces" are demanded by some laws (you are not allowed to use unergonomic software) and entering a password only once is against all users expectations. - even admins have a right for ergonomic software :-) but i absolutly agree with post-sarge and team-decision. <bubulle> I also intend to deal with the suggestion to preseed the passwords with encrypted values <h01ger> preseeding encrypted passwords is better of course, but also gives a false sense of security. so please also add a warning like "r00tme" :) <bubulle> h01ger: yep, the decision about prompting the root pw twice is a general design decision, so a "debian" decision (thus, technical comitee, again?) <p2-mate> aba: you would still need a user with password and sudo in that case <aba> p2-mate: yes. <p2-mate> sounds like moving the problem :) <bubulle> h01ger: about the ability to disable the root login, I suggest you report a wishlist bug against shadow for that. IIRC, there no such suggestion. Feel free to paste this whole discussion for the record <h01ger> p2-mate, thats no problem. you can install authorized_keys with base-config/late|early_command <aba> p2-mate: if you use user account replication, you don't need any local account :) <h01ger> bubulle, ok. will do. thx. <Kamion> disabled passwords> FWIW that can probably be taken from the Ubuntu patch, with different defaults - I just wasn't sure if anyone wanted that <bubulle> Kamion: looking, some day, at Ubuntu patches to shadow, is among my projects for shadow....Sigh...if only days had 30 hours an,d the shadow team more than 3 members (plus upstream...now well involved) <bubulle> Kamion: who is currently maintaining shadow in Ubuntu? <Kamion> bubulle: I'm probably the closest you've got <bubulle> Kamion: would you consider joining in the small pkg-shadow-devel team? <Kamion> bubulle: yeah, could do, I'll have a look later today <h01ger> Kamion, where is the patch ? i couldnt find at http://patches.ubuntulinux.org/patches/(shadow.login-nosuid.diff) ? <Kamion> h01ger: http://people.ubuntu.com/~scott/patches/shadow/ <Kamion> far too enormous for its own good <h01ger> Kamion, thx. <Kamion> the initial-passwd-udeb thing is a consequence of trying to ask all questions in the first stage; I'm not entirely convinced (yet) that it's the right approach though <Kamion> I think most of the rest should be pretty obvious regards, Holger
pgpIDwukYRfCL.pgp
Description: PGP signature