On Tue, Jun 24, 2014 at 8:23 AM, Andy Grimm <agrimm@xxxxxxxxx> wrote: > I don't think the passwordless sudo that google's tools sets up is any > different from what cloud-init does, is it? In both cases it's > assumed that the user for whom you are injecting the ssh key is the > "administrator". Baking in a password wouldn't make it any better, > and shoving a password into the metadata (even encrypted) would allow > any user on the system to retrieve it and attempt to decrypt. What > would be a better solution? Google deploying FreeIPA for authentication and have all VMs configured? ;) I can live with SSH keys injected to root. A root with it's SSH allowing login without-password only. This would be convenient and no passwords involved. The reason they enable sudo and lock root is to keep better auditing options. But, hey, it's not like you're gonna create 20 keys in a single server for 20 admins to go in and do stuff. -- It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned! Renich Bon Ciric http://www.woralelandia.com/ http://www.introbella.com/ _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
