Comment 7 for bug 1324545

> You miss the root password as far as I can see?

On purpose, many people set a root password for local troubleshooting on vt1.

> If there is no clear use case for having it on the thin client, it's probably ok to just keep it excluded.

It's the same as in sshd; if those files are there in a chroot and --cleanup isn't used, that means that the sysadmin probably wants them *included*. For example, if the epoptes certificate is there, the sysadmin probably wants to run epoptes from a fat client.

> remove root/.* (public key authentification does not work without .ssh/authorized_keys)

I think by default we should omit the root's private configuration files, shouldn't we? To protect people using `ltsp-chroot`... It's not just about ssh but about all apps that save sensitive data...
Let me also throw the idea of introducing "SSH_AUTHORIZED_KEY_nn" lts.conf variables, and having a /usr/share/ltsp/init-ltsp.d/50-ssh-authorized-keys script put them in /root/.ssh/authorized_keys. That way you can even give to different people, root access to different clients.

Which of the following options sounds saner to you guys?
1) Use a different ltsp-update-image--cleanup.excludes file when --cleanup is used.
2) Use an additional ltsp-update-image--cleanup.excludes file when --cleanup is used.
3) [proposed] Remove from ltsp-update-image.excludes the lines we've talked about, and re-implement them as --cleanup scripts.