[ec2-beta] some feedback on the i386 image

[Jamie Strandboge]

On Mon, 12 Jan 2009, Eric Hammond wrote:

> Reminder for folks trying to follow the conversation: The problem we're
> trying to solve is how/whether to set the initial password for the
> "ubuntu" user for sudo ability.  (ssh ability is not an issue as it uses
> the EC2 ssh keypair chosen by the user at runtime.)
> 
We already setup the root user with ssh key access and so far I have
completely disregarded the generated password, cause I know I can always
ssh in as root and do:
# passwd ubuntu

This is in stark contrast to standard Ubuntu installations that don't
have this type of access to the root account, so in a lot of ways, the
significance of the 'ubuntu' user account is marginalized on EC2. We
certainly aren't forcing the user to make a choice to enable the root
user-- to the contrary, we suggest the EC2 user use the non-root user.

With these things in mind, I'll put out there a (perhaps crazy) idea and
suggest setting up the user totally differently:

a) setup a long random password for the ubuntu user, or perhaps simply
lock the account (passwd -l ubuntu)
b) setup up /etc/sudoers to not prompt for a password at all
('Defaults:ubuntu !authenticate' and 'ubuntu ALL=(ALL) ALL')
c) move /root/.ssh/authorized_keys aside to disable ssh key root logins
after the first login

In this scenario, the 'ubuntu' account should be safe (ie, you can't
'su' into it from another account or login via ssh with a password), and
this gets the spirit of the Ubuntu non-root user back: specifically
normal access is non-root and there is a log audit trail for privileged
operations.

Jamie

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/mailman/private/ec2/attachments/20090112/b0cb5b6e/attachment-0002.pgp