As it's done in /etc/skel for new regular users, create an empty

/root/.ssh/authorized_keys file with correct permissions (0600 for the
file, 0700 for /root/.ssh dir). Since we encourage administrators to use
public keys only if they want to access root account via ssh, might
aswell make it easier, this will be particularly useful in
managed/provisioned environments (think ansible & others).

Note that administrators might get an e-mail from security(8) if the
file suddenly appears after an update - this is of course expected :)

ok tb@ sthen@ rpe@ ajacoutot@

2 files changed, 6 insertions, 2 deletions

diff --git a/etc/Makefile b/etc/Makefile
index 9b0e2efbb08..f8cd0a5f51f 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.449 2017/02/02 21:35:05 rpe Exp $
+#	$OpenBSD: Makefile,v 1.450 2017/02/12 08:56:17 landry Exp $
 
 .include <bsd.own.mk>
 
@@ -110,6 +110,8 @@ distribution-etc-root-var: distrib-dirs
 		    ${DESTDIR}/root/.Xdefaults; \
 		${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \
 		    ${DESTDIR}/root/.cvsrc; \
+		${INSTALL} -c -o root -g wheel -m 600 /dev/null \
+		    ${DESTDIR}/root/.ssh/authorized_keys; \
 		rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \
 		${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \
 		    ${DESTDIR}/.cshrc; \
diff --git a/etc/mtree/4.4BSD.dist b/etc/mtree/4.4BSD.dist
index c562685755b..1507cf9fefe 100644
--- a/etc/mtree/4.4BSD.dist
+++ b/etc/mtree/4.4BSD.dist
@@ -1,4 +1,4 @@
-#	$OpenBSD: 4.4BSD.dist,v 1.293 2016/12/27 09:17:52 jca Exp $
+#	$OpenBSD: 4.4BSD.dist,v 1.294 2017/02/12 08:56:17 landry Exp $
 
 /set type=dir uname=root gname=wheel mode=0755
 
@@ -118,6 +118,8 @@ home
 mnt
 ..
 root				mode=0700
+    .ssh			uname=root mode=0700
+    ..
 ..
 sbin
 ..