As was described in the previous blog post, one can easily increase the flexibility of debian preseeding. It might be worth visiting that post before reading this one, to have the context.
With numbered late commands in place, it is e.g. possible to install an authorized_keys file for the primary user. The host specific preseed file doing that could typically include something along the lines of the example following this paragraph. As can be seen, the login keys are expected to be placed on the pxeserver. A real setup might possibly deploy them through some other means.
d-i preseed/include string common.txt \
scripting-flexibility.txt \
debian/11-bullseye.txt \
auth/sudo-ssh.txt
d-i preseed/numbered_late_command_20 string wget -O \
/target/tmp/authorized_keys http://pxeserver./files/authorized_keys \
in-target sudo -u `debconf-get passwd/username` sh -c \
"cd; cp /tmp/authorized_keys .ssh/ ; chmod 600 .ssh/authorized_keys"
d-i pkgsel/include string libpam-ssh-agent-auth
One can then place something like the block below as auth/sudo-ssh.txt, and
passwords become a thing of the past, as those same keys gets copied to also be
used for sudoing. Note how including scripting-flexibility.txt enables the
use of numbered late commands in two separate files, in a way which
late_command by itself would not permit.
d-i preseed/numbered_late_command_90 string in-target \
cp /home/`debconf-get passwd/username`/.ssh/authorized_keys /etc/security/authorized_keys
d-i preseed/numbered_late_command_91 string mv /target/etc/pam.d/sudo \
/target/etc/pam.d/sudo.d-i_default
d-i preseed/numbered_late_command_92 string for S in '#%PAM-1.0' \
'' \
'auth [success=2 default=ignore] pam_ssh_agent_auth.so file=/etc/security/authorized_keys' \
'@include common-auth' \
'@include common-account' \
'' \
'session required pam_permit.so' \
'session required pam_limits.so'; \
do echo "$S" >> /target/etc/pam.d/sudo ; done
d-i preseed/numbered_late_command_93 string \
echo 'Defaults env_keep += "SSH_AUTH_SOCK"' > \
/target/etc/sudoers.d/00-ssh-auth-sock ; \
chmod 440 /target/etc/sudoers.d/00-ssh-auth-sock
To clarify, the snippet above makes sudo use ssh keys to authorize users.
Please do make sure the libpam-ssh-agent-auth package gets installed, and
that keys are available when numbered_late_command_90 runs. Otherwise
becoming root might become a bit tricky.