[elbe-devel] [PATCH v3 6/7] init: Drop initvm-ssh-root-open-danger
Bastian Germann
bage at linutronix.de
Wed Apr 19 15:14:25 CEST 2023
Am 19.04.23 um 15:01 schrieb Sebastian Andrzej Siewior:
> On 2023-03-03 14:37:13 [+0100], Bastian Germann wrote:
>> diff --git a/examples/elbe-init-big-machine.xml b/examples/elbe-init-big-machine.xml
>> index 392588c39f..02076a9444 100644
>> --- a/examples/elbe-init-big-machine.xml
>> +++ b/examples/elbe-init-big-machine.xml
>> @@ -48,6 +48,10 @@ SPDX-FileCopyrightText: Linutronix GmbH
>> </pkg-list>
>> <preseed>
>> <conf owner="pbuilder" key="pbuilder/mirrorsite" type="string" value="http://ftp.de.debian.org/debian"/>
>> +
>> + <!-- THIS CONF IS POTENTIALLY DANGEROUS! It enables logging in on the initvm's ssh as root with password.
>> + See https://bugs.debian.org/837733 for this counter-intuitive setting -->
>> + <conf owner="openssh-server" key="openssh-server/permit-root-login" type="boolean" value="false"/>
>
> Wouldn't it make sense to hide this setting within a comment block to
> have it off by default since the file where this came from had "danger"
> in its name and now it is enabled by default?
> Given that a local installation with enabled root-by-password login is
> likely to be harmless just double checking here and what the
> expectations are in general.
Yes, the expectation is that it is only run as a local VM.
Also, this is just an example and the default initvm template does not
enable root-by-passwd login.
>
>> </preseed>
>> <size>80G</size>
>> <mem>2GiB</mem>
>
> Sebastian
More information about the elbe-devel
mailing list