This is a highly theoretical and experimental mitigation which stops the
root password on newly upgraded/installed systems from being an empty
string. The thinking is that by not shipping an operating system with a
known root password, certain classes of attacks involving logging into
the root account might be avoided. I would like some feedback from the
cryptography team as well as NIST finalists in order to better ascertain
the implications of this behaviour.
Index: src/distrib/miniroot/install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.1032
diff -u -p -r1.1032 install.sub
--- src/distrib/miniroot/install.sub 8 Aug 2017 07:14:05 -0000 1.1032
+++ src/distrib/miniroot/install.sub 28 Nov 2017 23:43:56 -0000
@@ -2732,12 +2732,6 @@ do_install() {
echo
+ while :; do
+ ask_password "Password for root account?"
+ _rootpass="$_password"
+ [[ -n "$_password" ]] && break
+ echo "The root password must be set."
+ done
# Ask for the root user public ssh key during autoinstall.
_rootkey=
