On Wednesday 03 December 2014 09:07:09 Kurt Seifried wrote: > On 02/12/14 07:28 AM, Tristan Santore wrote: > > I would just like to make sure, that new users are aware of what we are > > doing. We already have password quality controls and warnings in > > anaconda. If we go along the path of root user+password and then the > > need for a user login first to then sudo or su to root, I think we > > should dump a warning or notification in anaconda. Further, this does > > not appear to address the issue of remote installs via vnc/spice. I am > > not sure about the latest VNC and Spice, but do they now encrypt traffic > > ? I never looked into VNC changes in Tigervnc again, but I am aware it > > supports extensions to that effect. Are these default though in > > anaconda's VNC implementation, does it throw people out if they do not > > use encryption or does it allow non-secure fallback ? > > More to the point, who cares in that situation, many cloud providers use > the VNC terminal to provide "console" access which is then provided via > HTTPS to the end user (so the only unencrypted part is from your VM to > the host server, in other words if an attacker can sniff that they own > the box). > > I, along with many cloud people, would be highly annoyed to have the > root account disabled by default. But the times are a changing so maybe > it's not such a terrible thing. Well, as long as the cloud provider allows you to setup SSH keys and automatically installs them on any host you provision, I'd say it makes the configuration easier to manage and safer: *better* in all ways. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
