Don't default to invalid usernames: Compute Engine broken out-of-the-box on brand new account
My Google Account e-mail address is mail@<MyCustomDomain>.com. It's my primary e-mail address I use for anything involving creating an account at a web site.
It appears that by default, Compute Engine will attempt to ssh to an instance using the e-mail address I logged in with, minus the domain. In this case, it tries to log in with username "mail". On an Ubuntu 14.04 image, "mail" is a pre-existing account with shell set to "nologin" program.
You can imagine my frustration as a totally new Compute Engine user, following the interactive "getting started" tutorial, leaving everything at defaults, only to find that the first step where you SSH to the back-end was broken with no obvious explanation why ("This account is currently not available" - on a brand new instance? WHY?). I had to search & search & finally I stumbled upon the above link, and then I realized that if it was logging in as "mail" there could be a potential problem.
Suggestion to fix this obvious problem: Have a blacklist of usernames that are common default usernames on your various OS images - e.g. mail, news, www-data, and so on. If somebody signs in with a Google account that has one of these blacklisted usernames, DON'T use it as default username. Instead, mangle the username like e.g. "mail_user" or something like that.
Thanks for the note, we’ll take a look. Our initial thought is that it would be difficult to determine the best set of accounts to configure such a “special” behavior for, and that doing so would be perhaps just as confusing the other way for some users. It seems like your normal behavior is a little bit out of the ordinary of what most OSes are expecting, so we’re also a little surprised that you don’t have this issue outside GCP as well.
James Johnston commented
Hi Paul - thanks for taking a look at this.
1. Perhaps start by taking a look at the default users on the most popular images you have?
2. I'd think the least confusing option is to log in with a normal user account that doesn't collide with one already in the image. Or at least provide some kind of warning to the user.
3. I don't have this issue outside of GCP because I normally set up a Linux system with a username other than "mail", obviously. It's this pattern of automatically deriving a username from my e-mail that causes problems, and is a process not generally applicable to the installation of an OS.