On Tue, 16 Dec 2014 17:21:00 +0000 (UTC) P J P <pj.pandit@xxxxxxxxxxx> wrote: > > On Tuesday, 16 December 2014 9:10 PM, Kurt Seifried wrote: > > Good point, this totally breaks anyone not using local > > authentication, I think based on that this feature change really > > needs to be blocked. > > > > > > On 16/12/14 08:14 AM, Dennis Gilmore wrote: > >> I think it is a really bad idea, it will break many things for me > >> personally and I am sure others also. this is because I set a root > >> password at install time but do not create a user, I then ssh to > >> the box and join it to my ipa domain for user authentication. I > >> will now be unable to do so. > > > > > > > > On Tuesday, 16 December 2014 9:19 PM, Simo Sorce wrote: > > As said before this is not ok, it must be conditional to whether or > > not a user has been created during the install. > > > Sure, idea is to make it conditional and not break thing too rough. > In that, during the boot process the user could be prompted to create > a non-root account, to which he/she can choose not to create one, in > which case they would be warned about/against it. The thing need to be done during install, my servers boot unattended. > > After all, only power-users should use SSH so you could as well > > propose we do not even start sshd by default. But we do, because it > > is used, so breaking it is not a good idea. > > Exactly! All the use cases above and similar others are typical > power user's ones, who can easily re-enable remote root login as and > when required. No the key-word here is "easily", which is misguided. It is not *easy* to have to jump through hoops to get a KVM/spice connection to log in through the console to then go and change an option. It is not easy and it is not automatable, so you break a ton of deployment/qa/automation scripts people rely on. Unless you properly account for this I do not think you really have consensus here. Simo. -- Simo Sorce * Red Hat, Inc * New York -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
