The issue if I recall correctly was that if you did a network install
there was no user account initially that could be used to log into the
remote system once the initial install had completed. So the admin
needed access as the root user to do the initial setup. That should
include creating a user account. Once that user account is created
the
admin would use that account, disable root access, and use su or
sudo to
admin the box after first logging in as that user.
It is a matter of getting the base level OS in place and having a
relatively secure box in the process that will allow the admin to get
access and apply patches and install required packages.
This issue only applies to those admins that perform network installs
and don't access the main console (headless systems) during the
install
process. Could probably be considered a corner case but I think
enough
people do this that disabling root access to ssh by default would
cause
a major outcry.
On some OSses, remote installation is a standard practice.
IIRC, the typical technique for remote installing involved dropping
out of the install script to the installer's mini shell and editing
appropriate stuff before rebooting. This kind of remote install does
require someone with physical access to the box to do something like
insert the install CD and power up, of course. 8-|
My memory may be glossing over something here. It's been a few months
since I monitored those MLs.
Anyway, RH/FC doesn't forget the root password set during install
when you boot the first time in current versions, so if you choose an
initial root password that is sufficiently hard (12 or more random
characters is still pretty good at this point) it should survive port
knocking long enough to ssh in, edit configs appropriately, and
restart whatever services might need restarting (in the worst case of
having to install from net without a firewall in the router).
I should note that the assumptions which led to advising against
logging in as root are no longer considered as valid as they once were.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list