[Pkg-shadow-devel] Bug#304343: preseeding disabled passwords

Tue, 12 Apr 2005 16:39:32 +0200

--nextPart1406437.pc0xusUSZS
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

package: shadow
severity: wishlist

Hi,

I would like to be able (post sarge :) to preseed (with d-i) disabled=20
passwords. So I could disable the root account and pull user data from ldap=
=20
or with ssh's authorized_keys.

Some log bits from our discussion on #debian-boot

<h01ger> bubulle: i'm strictly against asking for passwords only once. How =
to=20
detect typos that way ? There is no way so people will choose passwords lik=
e=20
"mate" or "123" :-( If you ask for passwords, you have to confirm them. For=
=20
critical installation mode, $disabled as a password would be much more=20
handy :)
<bubulle> As shadow maintainer now (sigh), I will implement what is judged =
as=20
most appropriate by the d-i team, as this feature is only used during=20
installs
<bubulle> sam for the groups the first created user should belong too (I=20
*will* deal with that post-sarge...but, again, after taking opinions from=20
either the d-i team, or the technical comitee, or by starting a flamew^W=20
discussion in -devel
<aba> bubulle: well, a nice thing would be to allow to not set any root pw =
=2E..
<bubulle> aba: you mean, disable it as h01ger suggested?
<h01ger> bubulle: you might even argue that it's a debian decision. as=20
"ergonomic user interfaces" are demanded by some laws (you are not allowed =
to=20
use unergonomic software) and entering a password only once is against all=
=20
users expectations. - even admins have a right for ergonomic software :-) b=
ut=20
i absolutly agree with post-sarge and team-decision.
<bubulle> I also intend to deal with the suggestion to preseed the password=
s=20
with encrypted values
<h01ger> preseeding encrypted passwords is better of course, but also gives=
 a=20
false sense of security. so please also add a warning like "r00tme" :)
<bubulle> h01ger: yep, the decision about prompting the root pw twice is a=
=20
general design decision, so a "debian" decision (thus, technical comitee,=20
again?)
<p2-mate> aba: you would still need a user with password and sudo in that c=
ase
<aba> p2-mate: yes.
<p2-mate> sounds like moving the problem :)
<bubulle> h01ger: about the ability to disable the root login, I suggest yo=
u=20
report a wishlist bug against shadow for that. IIRC, there no such=20
suggestion. Feel free to paste this whole discussion for the record
<h01ger> p2-mate, thats no problem. you can install authorized_keys with=20
base-config/late|early_command
<aba> p2-mate: if you use user account replication, you don't need any loca=
l=20
account :)
<h01ger> bubulle, ok. will do. thx.
<Kamion> disabled passwords> FWIW that can probably be taken from the Ubunt=
u=20
patch, with different defaults - I just wasn't sure if anyone wanted that
<bubulle> Kamion: looking, some day, at Ubuntu patches to shadow, is among =
my=20
projects for shadow....Sigh...if only days had 30 hours an,d the shadow tea=
m=20
more than 3 members (plus upstream...now well involved)
<bubulle> Kamion: who is currently maintaining shadow in Ubuntu?
<Kamion> bubulle: I'm probably the closest you've got
<bubulle> Kamion: would you consider joining in the small pkg-shadow-devel=
=20
team?
<Kamion> bubulle: yeah, could do, I'll have a look later today
<h01ger> Kamion, where is the patch ? i couldnt find at=20
http://patches.ubuntulinux.org/patches/(shadow.login-nosuid.diff) ?
<Kamion> h01ger: http://people.ubuntu.com/~scott/patches/shadow/
<Kamion> far too enormous for its own good
<h01ger> Kamion, thx.=20
<Kamion> the initial-passwd-udeb thing is a consequence of trying to ask al=
l=20
questions in the first stage; I'm not entirely convinced (yet) that it's th=
e=20
right approach though
<Kamion> I think most of the rest should be pretty obvious

regards,
 Holger

--nextPart1406437.pc0xusUSZS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBCW92sUHLQNqxYNSARAvibAKDBsmhtvD67luZdL/4VnR42uU84/QCgnFLf
uFVjYhYSCWQ2WbOudPdWb90=
=+QNC
-----END PGP SIGNATURE-----

--nextPart1406437.pc0xusUSZS--