Re: able to login as root via ssh :-(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-08-08 at 14:18 -0500, Les Mikesell wrote:

> > > Non-root users are creating doing firstboot, not during the install.  If
> > > you aren't there to go through the firstboot process, you can't create any
> > > users other than via root.
> > > 
> > > I don't recall off the top of my head what kickstart lets you do with
> > > respect to user creation.  It is conceivable that using kickstart to do a
> > > PXE install will leave a headless machine with no way to access it except
> > > via a root ssh session.
> > 
> > Well, kickstart and/or the interactive install could tie you in to
> > various network directories like NIS or something LDAP based to give you
> > non-root users...
> > 
> > But, of course, kickstart could add a user in a myriad of ways to the
> > local passwd/shadow/group files during the %post section like:
> > useradd -p encryptedpassword username
> 
> I'm not quite sure I see the point of this unless it is a
> checkbox item in someones theoretical 'best practices' list.
> How much of an install can you do as someone other than root?

The issue if I recall correctly was that if you did a network install
there was no user account initially that could be used to log into the
remote system once the initial install had completed.  So the admin
needed access as the root user to do the initial setup.  That should
include creating a user account.  Once that user account is created the
admin would use that account, disable root access, and use su or sudo to
admin the box after first logging in as that user.  

It is a matter of getting the base level OS in place and having a
relatively secure box in the process that will allow the admin to get
access and apply patches and install required packages.  

This issue only applies to those admins that perform network installs
and don't access the main console (headless systems) during the install
process.  Could probably be considered a corner case but I think enough
people do this that disabling root access to ssh by default would cause
a major outcry.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux