In Debian trixie, both the following upstream patches seem to have been
included:
https://github.com/systemd/systemd/commit/
fecbce1fc654076a2fc0922e6d36e5300ea04cdf
https://github.com/systemd/systemd/commit/33eb44fe4a8d7971b5614bc4c2d90f8d91cce66c
As a result, the emergency shell functionality can be restored either
persistently (while the system is still running normally) or as the
problem requiring rescue-mode/emergency mode access is encountered.
When RedHat/Fedora added the possibility to install with a locked root
account, they had the same issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1763160
Since then, they released documentation on the workarounds, and the same
solutions should apply to Debian too.
(In other words, security by obscurity is not going to work: the
information below is already out in public, although nominally for
different distributions.)
----------
To pre-emptively configure rescue.service to allow local console access
with the documented ways even if the root account is locked:
Run "systemctl edit rescue.service" to create a systemd override file
/etc/systemd/system/rescue.service.d/override.conf.
You'll need to type in the following two lines:
[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
Save the resulting file.
This should work in any version that has the upstream systemd package
from 2018-Oct-17 or later.
Doing the same for emergency mode seems to require adding some
configuration to the initramfs generator, and I don't have a ready
answer at this point. However, see below.
-----------
If the system is falling to emergency mode (or you're using boot options
to force it there) and displaying the message:
Cannot open access to console, the root account is locked.
See sulogin(8) to continue.
Then the easiest workaround is to add "SYSTEMD_SULOGIN_FORCE=1" to the
kernel command line. This should work with upstream systemd version from
2023-May-13 or later, so in Debian this will probably mean trixie and
later only.
-----------
If you want to secure your system against unauthorized console access:
Configure your bootloader to disallow specifying arbitrary kernel boot
options without at least password authentication. If you cannot allow
root logins from the local console, this should not be news to you, as
the boot-time configurability of GRUB and kernel boot options already
allows all kinds of mayhem in unauthorized hands, and someone with
access to the local console will probably be able to also arrange a
power interruption if determined enough.
