On 02/12/14 07:28 AM, Tristan Santore wrote: > I would just like to make sure, that new users are aware of what we are > doing. We already have password quality controls and warnings in > anaconda. If we go along the path of root user+password and then the > need for a user login first to then sudo or su to root, I think we > should dump a warning or notification in anaconda. Further, this does > not appear to address the issue of remote installs via vnc/spice. I am > not sure about the latest VNC and Spice, but do they now encrypt traffic > ? I never looked into VNC changes in Tigervnc again, but I am aware it > supports extensions to that effect. Are these default though in > anaconda's VNC implementation, does it throw people out if they do not > use encryption or does it allow non-secure fallback ? More to the point, who cares in that situation, many cloud providers use the VNC terminal to provide "console" access which is then provided via HTTPS to the end user (so the only unencrypted part is from your VM to the host server, in other words if an attacker can sniff that they own the box). I, along with many cloud people, would be highly annoyed to have the root account disabled by default. But the times are a changing so maybe it's not such a terrible thing. > Just a few thoughts on my part. > > Regards, > > Tristan > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
