Am 17.12.2014 um 17:05 schrieb P J P:
On Tuesday, 16 December 2014 10:57 PM, Simo Sorce wrote: The thing need to be done during install, my servers boot unattended.No the key-word here is "easily", which is misguided. It is not *easy* to have to jump through hoops to get a KVM/spice connection to log in through the console to then go and change an option. It is not easy and it is not automatable, so you break a ton of deployment/qa/automation scripts people rely on.Sure, I agree. I'm not sure how these VM images are created and deployed, but there must be some way to handle such cases, ex -> https://lists.fedoraproject.org/pipermail/devel/2014-November/204663.html As said before, intention is not to break things too rough and bother users. But to make things secure while keeping them usable. If they are not usable, what good is that security?
Anaconda should just ask for sshd yes/no with defaults to no and in that case not enable the service at all
* forcing me to create a non-root user is a nogo there are machines where you never connect except for admin tasks * "PermitRootLogin no" is idiotic in any case because the safe setting "PermitRootLogin without-password" exists and enforces a private key while there is no public key without generate and install it * well, and you need a first time root login with password to import such a key and then disable password loginhence just don't enable the service on each and every machine and ask the user if he needs a ssh server at install time - i know, in times where it's not popular to ask a user for anything not likely to happen
what will not work is magically guess the users intention and provide secure defaults at the same time, not now and not in the future
*ask users* and default to *no* because if someone say "yes" by intention it's his own responsibility to secure it
and *do not* touch existing configurations, never, in no contexti have seen networks going down because stupid named-maintainers decided to mangle "named.conf" by add dnssec options unasked with regular yum updates
Attachment:
signature.asc
Description: OpenPGP digital signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security