Hi, I have some thoughts that I would like to discuss with you about network-console:
First is a (quite paranoid) security consideration: Let's say that some user wants to install Debian remotely in his working environment. He starts the installation in front of the computer, sets a password, that happen to be its daily-use one. He then do the remaining steps remotely. Then, an untrustworthy colleague goes to the computer, and just reads /var/lib/cdebconf/questions.dat: installer's password is there, plain, clear text. So, I think we should remove this password from the debconf database as soon as it is written to /etc/shadow. Second is quite the opposite: I would like to have a debconf boolean to display the password in the network-console/start note. The reason behind this is that, on some devices, with display and no usable input, we can (and were already doing) display network-console/start. On such devices, the password is set by a preseed file, so, showing it should be helpful to the user. I don't think there are strong security issues there, since somebody that have access to the screen probably have physical access to the device too. Making it a debconf boolean defaulting to false (and probably never displayed to the user?) should make it not be a security problem outside of the scope of the few devices with such preseeding. Best regards, Thibaut Girka.
signature.asc
Description: This is a digitally signed message part
