Re-enable root login via password

[fredleb]

"root" login via password should be disabled by default on production systems for security reasons.

In the case of a headless system which rootfs is password encrypted, for example using LVM on LUKS, the user will need to login via SSH to give the LUKS password in order to resume the boot sequence. Since opening a LUKS container requires "root" privileges, the user will have to get these one way or another. Logging in directly as "root" using keys is then a good option.

Keys however come with their own constraints and challenges (think: management) and in the case of a system for which you will still have to give a password to unlock the LUKS container, they might be overkill. In that corner case, logging in as "root" with a password (enabled ONLY for the initramfs) becomes an acceptable solution.

[fredleb]

This is a work in progress as this should scare a lot of people, for good reasons.

I would like to make it optional but I have no idea what strategy to follow... a hook ? a switch in /etc/mkinitcpio.conf ?

Maybe my whole thinking is wrong too.

Any idea welcome.

And congrats: it's a life-saver project.

[Andrei-Pozolotin]

1. thank you for the idea

2. how about converting it to a function do_root_login_enable in https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/initrd-build.sh

3. such that it can be used via user's explicit config entry, similar to do_tinysshd_keys: https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/initrd-tinysshd.service

   # ensure tinyssh keys are based on openssh keys
   InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_tinysshd_keys

[fredleb]

Cool. On it.

[fredleb]

OK done and tested. I have to put the call to do_root_login_enable after do_secret_clean so I could not find a better place than initrd-shell.service. Anything else I can improve ? Are you happy with the names, comments, etc ?