Re: About sshd(8) PermitRootLogin=no

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 17.12.2014 um 17:05 schrieb P J P:

On Tuesday, 16 December 2014 10:57 PM, Simo Sorce wrote:
The thing need to be done during install, my servers boot unattended.



No the key-word here is "easily", which is misguided.
It is not *easy* to have to jump through hoops to get a KVM/spice
connection to log in through the console to then go and change an
option.

It is not easy and it is not automatable, so you break a ton of
deployment/qa/automation scripts people rely on.


Sure, I agree. I'm not sure how these VM images are created and deployed,
but there must be some way to handle such cases,

ex -> https://lists.fedoraproject.org/pipermail/devel/2014-November/204663.html

As said before, intention is not to break things too rough and bother users.
But to make things secure while keeping them usable. If they are not usable,
what good is that security?
Anaconda should just ask for sshd yes/no with defaults to no and in that case not enable the service at all 

* forcing me to create a non-root user is a nogo
  there are machines where you never connect except for admin tasks

* "PermitRootLogin no" is idiotic  in any case because the safe setting
  "PermitRootLogin without-password" exists and enforces a private key
  while there is no public key without generate and install it

* well, and you need a first time root login with password to
  import such a key and then disable password login
hence just don't enable the service on each and every machine and ask the user if he needs a ssh server at install time - i know, in times where it's not popular to ask a user for anything not likely to happen
what will not work is magically guess the users intention and provide secure defaults at the same time, not now and not in the future
*ask users* and default to *no* because if someone say "yes" by intention it's his own responsibility to secure it 

and *do not* touch existing configurations, never, in no context
i have seen networks going down because stupid named-maintainers decided to mangle "named.conf" by add dnssec options unasked with regular yum updates

Attachment: signature.asc
Description: OpenPGP digital signature

--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux