Hello Brian, > On Friday, 16 January 2015 1:38 AM, Brian C. Lane wrote: > Switching root to key only really doesn't help much. All that does is > move the attack to the user account (assuming they are in wheel). > Disabling password login for all accounts is what would make it secure. Agreed. Though IMO we can not directly jump to that default, when hardly few users know and use ssh keys for authentication. Introducing it first for the 'root' account is a reasonable step forward, which in future would evolve into key authentication for all accounts. > But the problem with that is that there is no good way to get the > authorized key onto the system if they do need to login via ssh. You can > now do this in kickstart using the new sshkey command. I see. Is it possible to have UI support for this command?(not sure if it is) > A possible alternative is: > 1. Stronger root password. We really should switch from a minimum length > of 6 to 8 anyway. I think that should be for all accounts, no just 'root'. But as others have expressed, it'd be bothersome when one has to type it repeatedly. > 2. Don't allow weak root passwords at all. Remove the double done click > to bypass it. This will annoy me while installing vms repeatedly, but it > is an improvement while still allowing remote access. > > 3. And maybe drop root login completely and move to user+strong pw+wheel I think this would prove more intrusive at this stage. IMO gradual, step by step change is better than drastically shifting the norm. Show message history > I don't like the idea of switching options in the background based on > what combination of users, checkboxes, etc. have been set. That's going > to end up confusing people or leaving the setup in an unexpected state.0 I understand. However, at this early stage, it may not be a very bad idea. Today we only need to inform users that password based authentication for 'root' account is not available and that they need to use keys and/or non-root accounts, as preferred. They need to get used to the idea of keys first. Maybe sshd(8) daemon could also return an error message saying password authentication for 'root' account is prohibited. When user attempts to connect as 'root'.(just a thought) Thank you. --- Regards -Prasad http://feedmug.com _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list