One other idea:
We simply do this by default for all cloud images, without a timeout - if no cloud-init
metadata is provided, you can log in to the hypervisor console and see an autogenerated
root password.
I'd say we should also ensure that *remote* ssh access is disabled in this scenario -
if you want to log in over ssh, you'd need to change the password and enable remote
ssh password auth (cloud-init disables it by default).
It'd be a notable policy change, but in practice I think quite secure - if you have
access to the hypervisor console you tend to have total control over a system anyways.
And we're only talking about cloud images, not bare metal.