Autologin policy for cloud platform consoles

[bgilbert]

Some cloud platforms (Azure, DigitalOcean, GCP, Packet) allow authenticated access to a VM's serial or VGA console for debugging purposes. Most Fedora CoreOS machines will not enable password-based login, so the console will generally only be useful for obtaining log messages.

For convenience of debugging, we could enable automatic login on the console on these platforms. Implications:

• We'd be trusting the security of the clouds' control planes, in a really obvious way.
• It assumes that the clouds' ACL mechanisms will not surprise users. On clouds that configure a VM with the SSH keys of multiple users (GCP and Packet, at least), users should already be familiar with these mechanisms.
• It assumes that users with a certain level of access to the VM (for example, SSH access) should also have serial console access.

Container Linux on Packet enables autologin by default. (Packet's provisioner generally sets a unique root password on every system, which is then exposed via the Packet API; this approach is an alternative.) On other cloud platforms, Container Linux disables autologin by default.

I'd tend to favor not enabling autologin by default, but thought it was worth bringing up.

[dustymabe]

I'd tend to favor not enabling autologin by default, but thought it was worth bringing up.

same here. we enable autologin when developing by using coreos-assembler run but I don't think that's something we should do in the cloud by default.

Maybe we could iimplement it but not enabled by default and make it configurable by the user somehow?

[bgilbert]

Discussed in the meeting last week. No one spoke in favor of autologin by default.

Maybe we could iimplement it but not enabled by default and make it configurable by the user somehow?

Discussion in #112.

[bgilbert]

Okay, let's not enable autologin by default on any platforms. I'll PR the design doc.

[bgilbert]

PR in #132.