On Thu, Oct 6, 2016 at 8:07 AM, Jon Stanley jonstanley@gmail.com wrote:
I think there's one, and it's really quite simple and elegant I think.
First, we remove (or make very non-obvious) the ability to set a root password in the Anaconda GUI, and force the creation of an administrative user. Then to further bootstrap the machine, you MUST login with that user and use sudo. Ansible natively supports this (using 'become') and Cockpit also supports login by such a user.
What about adding a "paste public key" screen to the Anaconda GUI? Looks like there's already a --sshkey option for kickstart: https://bugzilla.redhat.com/show_bug.cgi?id=1274104 (though I haven't tried it myself).