Is your feature request related to a problem? Please describe.
By default, cloud-init creates the provisioning-user with the first available uid value higher than the SYS_UID_MAX value declared in /etc/login.defs. Further, this account (rightly) gets created with no password-aging attributes. Security scanners treat this as an interactive user and will alert on any tests around password-aging.
Describe the solution you'd like
Have default-user created with a uid value less than the SYS_UID_MAX value declared in /etc/login.defs.
Describe alternatives you've considered
Could force password-aging attributes onto account, but that will risk the "break glass" use-case for the account once expiry has been reached.
Could also use the uid parameter to hard-code a uidvalue less than theSYS_UID_MAXvalue declared in/etc/login.defs`, but don't know if that could create other problems, later, for applications using the resultant AMI.
Additional context
cloud-init provides the system: true attribute that results in creating a user with a uid value less than the SYS_UID_MAX value declared in /etc/login.defs. However, such users get created with no ${HOME} which means no ability to create a ${HOME}/.ssh/authorized_keys file. While cloud-init also provides the notional ability to override this behavior by explicitly declaring the no_create_home parameter and setting its value to false, trying to use this as an override-attempt seems to be ignored.
Is your feature request related to a problem? Please describe.
By default,
cloud-initcreates the provisioning-user with the first availableuidvalue higher than theSYS_UID_MAXvalue declared in/etc/login.defs. Further, this account (rightly) gets created with no password-aging attributes. Security scanners treat this as an interactive user and will alert on any tests around password-aging.Describe the solution you'd like
Have default-user created with a
uidvalue less than theSYS_UID_MAXvalue declared in/etc/login.defs.Describe alternatives you've considered
Could force password-aging attributes onto account, but that will risk the "break glass" use-case for the account once expiry has been reached.
Could also use the
uidparameter to hard-code a uidvalue less than theSYS_UID_MAXvalue declared in/etc/login.defs`, but don't know if that could create other problems, later, for applications using the resultant AMI.Additional context
cloud-initprovides thesystem: trueattribute that results in creating a user with auidvalue less than theSYS_UID_MAXvalue declared in/etc/login.defs. However, such users get created with no${HOME}which means no ability to create a${HOME}/.ssh/authorized_keysfile. Whilecloud-initalso provides the notional ability to override this behavior by explicitly declaring theno_create_homeparameter and setting its value tofalse, trying to use this as an override-attempt seems to be ignored.