On Tue, Oct 05, 2021 at 06:55:19PM +0100, Phil Endecott wrote: > > What is the recommended way to permit login on the AWS serial > console? I hesitate to try to work it out by trial and error, > since a mistake could either leave me unable to log in at all > or leave the instance insecure.
It looks like you need to configure access to the AWS serial console, so can use Amazon's IAM policies to control which users have access to the serial console, which is off by default: Access to the serial console is not available by default. Your organization must grant account access to the serial console and configure IAM policies to grant your users access to the serial console. Serial console access can be controlled at a granular level by using instance IDs, resource tags, and other IAM levers. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html (FWIW this is true for Google Cloud as well). So it's unlikely you will leave the instance insecure, unless there are some pretty serious IAM policy mistakes (or AWS keys being checked into public github repos, etc.), in which case you may have much larger issues. :-) If you are willing to rely solely on the cloud provider's serial console access policies, you can eliminate the need to type the root password via something like this: sed -i -e '/ExecStart/s/agetty/agetty -a root/' \ -e '/ExecStart/s/-p/-p -f/' \ /lib/systemd/system/[email protected] Since this is independent of how you can login to the instance via ssh, you can experiment with this without worrying too much about screwing anything up. And of course, if you do this on a test instances, if something does go wrong, there's nothing previous on it, so you can just kill it and try again. Cheers, - Ted
