Michel Alexandre Salim wrote:
- do we want to allow any /local/ %wheel users to log in?
This seems fine to me.
- or do we want to use a recovery passphrase of some sort?
I'm not sure what you mean here. When a passphrase is called a recovery
passphrase, it's usually because authentication is normally done
some other way. For example, if you normally log in by inserting some
kind of hardware token, then you may want a recovery passphrase to use
in case the hardware token is broken or lost.
As long as users normally log in with a passphrase, I see no need to
have a separate passphrase for rescue mode. Root's or a wheel user's
usual passphrase should be fine.
For F36 - I agree that it's better to *not* have a rescue mode
broken one. How about this as an end state we can realistically achieve:
- if the root password is set, rescue mode should appear in the GRUB
- if the root password is not set
- rescue mode should not be listed
- if someone tries to invoke it, it should display an error rather
than prompting for a non-existent password
This looks sane.
If there is a separate boot entry for the rescue mode, then maybe Grub
could be programmed to require a passphrase before it will boot that