Do we allow passwords

Pet vs cattle

Let's stop modifying sshd_config

Different cloud providers have different policies for managing users and password
AWS launches image and checks it. If there is root password allowed, image is kicked out

Possibly similar for GCE

Default passwords - big problem for cloned users

By default Debian we have allowed ssh by password

Should we deviate from Debian default? (e.g. ssh configuration?)
TODO: jimmy will submit bug for ssh config

We deviate a bit from Debian; not just for the sake of it, but because we have specialized case

WE need to have feedback from cloud providers

AWS
PermitRootLoging - no
password login (for any user) - definitely not, in any case

GCE
no-password = true

Bots trying to ssh using password (thousands for hour)

Azure
Supports passwords, because API supports password
API - if user passes password, it enables passwords
No default user
If user passes key, it sets key and disables password authentication
root is disabled

Digital Oceal
If user demands password, (s)he gets password (by email currently)
If user sets key, password is disabled

root - disabled entirely
password ssh - also disabled


We modify config file - we're responsible

TODO - let's put on wiki which files we modified and why
So users know what changed

Console access - we'd need to have password login
And tty* in /etc


Ask: debconf setting to disable password login
Have wiki that we modify this setting

Jessie - root is password-less