[Feature Request] Investigate method for creating default-user as a "system" account #84
Description
Is your feature request related to a problem? Please describe.
By default, cloud-init creates the provisioning-user with the first available uid value higher than the SYS_UID_MAX value declared in /etc/login.defs. Further, this account (rightly) gets created with no password-aging attributes. Security scanners treat this as an interactive user and will alert on any tests around password-aging.
Describe the solution you'd like
Have default-user created with a uid value less than the SYS_UID_MAX value declared in /etc/login.defs.
Describe alternatives you've considered
Could force password-aging attributes onto account, but that will risk the "break glass" use-case for the account once expiry has been reached.
Could also use the uid parameter to hard-code a uidvalue less than theSYS_UID_MAXvalue declared in/etc/login.defs`, but don't know if that could create other problems, later, for applications using the resultant AMI.
Additional context
cloud-init provides the system: true attribute that results in creating a user with a uid value less than the SYS_UID_MAX value declared in /etc/login.defs. However, such users get created with no ${HOME} which means no ability to create a ${HOME}/.ssh/authorized_keys file. While cloud-init also provides the notional ability to override this behavior by explicitly declaring the no_create_home parameter and setting its value to false, trying to use this as an override-attempt seems to be ignored.