On Fri, Mar 31, 2017 at 12:51:08AM +0200, Michael Biebl wrote: > Maybe I'm overly paranoid here, but maybe that helps to better > understand my concerns.
No, your concerns sound reasonable to me, and I agree that demanding a username from group sudo, along with its password sounds like it could be even better. However, I think it might not be necessary. Simply warn the user what is going to happen if they don't set the root password at install time: rescue boot will be left unprotected. Some users might prefer that behavior anyway -- as someone pointed out, the rescue shell would still work even if passwd/shadow are lost. Users that are setting up BIOS and grub passwords can be expected to set the root password as well, IMHO. Obviously, the installer should make it unmistakably clear. If that's not acceptable, I hope you'll agree that the installer should just force you to set a root password. It's not reasonable for it to quietly leave you with a rescue shell that won't work at all. However, I honestly think the more lenient solution is better: an empty root password usable only at rescue boot seems preferable to a very weak password that could be allowed elsewhere. That said, I just noticed that we seem to have PermitRootLogin prohibit-password in sshd_config by default now, so this might be a minor or even moot point. -nd. _______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers