On Tue, 2006-08-08 at 14:18 -0500, Les Mikesell wrote: > > > Non-root users are creating doing firstboot, not during the install. If > > > you aren't there to go through the firstboot process, you can't create any > > > users other than via root. > > > > > > I don't recall off the top of my head what kickstart lets you do with > > > respect to user creation. It is conceivable that using kickstart to do a > > > PXE install will leave a headless machine with no way to access it except > > > via a root ssh session. > > > > Well, kickstart and/or the interactive install could tie you in to > > various network directories like NIS or something LDAP based to give you > > non-root users... > > > > But, of course, kickstart could add a user in a myriad of ways to the > > local passwd/shadow/group files during the %post section like: > > useradd -p encryptedpassword username > > I'm not quite sure I see the point of this unless it is a > checkbox item in someones theoretical 'best practices' list. > How much of an install can you do as someone other than root? The issue if I recall correctly was that if you did a network install there was no user account initially that could be used to log into the remote system once the initial install had completed. So the admin needed access as the root user to do the initial setup. That should include creating a user account. Once that user account is created the admin would use that account, disable root access, and use su or sudo to admin the box after first logging in as that user. It is a matter of getting the base level OS in place and having a relatively secure box in the process that will allow the admin to get access and apply patches and install required packages. This issue only applies to those admins that perform network installs and don't access the main console (headless systems) during the install process. Could probably be considered a corner case but I think enough people do this that disabling root access to ssh by default would cause a major outcry. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list