Improve handling of default root password on new autoinstalls

Currently we create new autoinstalls with an empty root password, and only allow logins via the console server (which is Kerberos-acl'd). There are some potential improvements here, both in terms of UI -- discouraging people from using the console server -- and security -- we've had a security vulnerability in the past with the console server. Here are some approaches that come to mind:

1) Add a password field to the autoinstall creation form. Then we can automatically set up SSH, and recommend SSH in normal operation from the moment you start using the VM, and the console only as an emergency thing.

Potential downsides include browsers storing the password (which I think there's an HTML option to disable) and people using their Athena password (but we can kinit with it and yell at them if it works).

2) Acquire all the Kerberos keytabs for host/xvm-nnn.mit.edu, and set up Kerberized ssh by default with the appropriate .k5login copied from consolefs. This too allows us to recommend SSH from the beginning. Disable the root password, and tell people they're encouraged to set a root password of their choosing to make the emergency console useful.

Potential downsides include needing a Kerberized ssh client and tickets (but this is just bootstrapping, if you want to set a password you can), needing to store and keep up with a few hundred credentials, and the solution being extremely Athena-specific and probably not directly deployable outside XVM.

3) Generate a random root password and show it to the user on the website, and require them to change it the first time they log in using the appropriate option in /etc/shadow.

Potential downsides include the password being visible (given that it can only be used once, it's probably fine) and users changing the random password to a bad one. We could also just not require users to change it.

Thoughts? Other possibilities?