When installing software on a remote server: Is it possible to let the admin (i.e. the user that installs the software) define admin username and password via a HTML page, in a secure manner?
Clarification: When one installs e.g. WordPress, parts of the installation scripts accept input via a web page see this example — and notice the password input fields (the image is from this WordPress page).
However, if the installation is done remotely (for example, if you install WordPress on an AWS EC2 virtual host), then I think that by default anyone would be able to access the installation script web page. An evil user could access it before the actual admin, and define username + password and thus hijack the remote server for a short while. (The evil user could be a bot that scans the internet for half-finished WordPress installations.)
Accepting input via a HTML page, when remote-installing software, seems inherently unsafe. But it's fairly user friendly. Is there no way to do it in a secure manner?
Some unconclusive thoughts on the question:
One workaround would be to block the HTTP(S) port in the firewall (on the remote server), and access the installation web page via a SSH tunnel. However this seems like an almost user-hostile installation requirement.
Another workaround would be to have any shell script parts of the installation script print a randomly generated password that the person that accesses the installation web page would have to specify. This seems somewhat more user friendly.
Perhaps the best solution is to have the admin define his/her username and password via the Bash shell? (I.e. over SSH, not via a web page). However then what if the admin wants to login as admin via OpenID, e.g. Gmail? (Gmail is very secure if you enable 2-step verification.) That cannot easily be handled via a Bash script...
Perhaps the best method would be to let any shell script part of the installation print a URL that includes the server address, plus a magic one-time password — then the-person-that-does-the-installation would only need to copy the URL and paste it into a browser. And then the installation could proceed from within the browser.