Re: About sshd(8) remote root login feature & Anaconda UI support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

    Hello Brian,

> On Friday, 16 January 2015 1:38 AM, Brian C. Lane wrote:
> Switching root to key only really doesn't help much. All that does is
> move the attack to the user account (assuming they are in wheel).
> Disabling password login for all accounts is what would make it secure.

    Agreed. Though IMO we can not directly jump to that default,
when hardly few users know and use ssh keys for authentication.
Introducing it first for the 'root' account is a reasonable step
forward, which in future would evolve into key authentication for
all accounts.

> But the problem with that is that there is no good way to get the
> authorized key onto the system if they do need to login via ssh. You can
> now do this in kickstart using the new sshkey command.

    I see. Is it possible to have UI support for this command?(not sure if it is)

> A possible alternative is:
> 1. Stronger root password. We really should switch from a minimum length
> of 6 to 8 anyway.

    I think that should be for all accounts, no just 'root'. But as others
have expressed, it'd be bothersome when one has to type it repeatedly.

> 2. Don't allow weak root passwords at all. Remove the double done click
> to bypass it. This will annoy me while installing vms repeatedly, but it
> is an improvement while still allowing remote access.
> 
> 3. And maybe drop root login completely and move to user+strong pw+wheel

    I think this would prove more intrusive at this stage. IMO gradual, step
by step change is better than drastically shifting the norm.
Show message history


> I don't like the idea of switching options in the background based on
> what combination of users, checkboxes, etc. have been set. That's going
> to end up confusing people or leaving the setup in an unexpected state.0 
    I understand. However, at this early stage, it may not be a very bad idea.
Today we only need to inform users that password based authentication for
'root' account is not available and that they need to use keys and/or non-root
accounts, as preferred. They need to get used to the idea of keys first.

    Maybe sshd(8) daemon could also return an error message saying password
authentication for 'root' account is prohibited. When user attempts to
connect as 'root'.(just a thought)

Thank you.
---
Regards
   -Prasad
http://feedmug.com

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux