Re: able to login as root via ssh :-(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The issue if I recall correctly was that if you did a network install
there was no user account initially that could be used to log into the
remote system once the initial install had completed.  So the admin
needed access as the root user to do the initial setup.  That should
include creating a user account. Once that user account is created the admin would use that account, disable root access, and use su or sudo to
admin the box after first logging in as that user.

It is a matter of getting the base level OS in place and having a
relatively secure box in the process that will allow the admin to get
access and apply patches and install required packages.

This issue only applies to those admins that perform network installs
and don't access the main console (headless systems) during the install process. Could probably be considered a corner case but I think enough people do this that disabling root access to ssh by default would cause
a major outcry.

On some OSses, remote installation is a standard practice.

IIRC, the typical technique for remote installing involved dropping out of the install script to the installer's mini shell and editing appropriate stuff before rebooting. This kind of remote install does require someone with physical access to the box to do something like insert the install CD and power up, of course. 8-|

My memory may be glossing over something here. It's been a few months since I monitored those MLs.

Anyway, RH/FC doesn't forget the root password set during install when you boot the first time in current versions, so if you choose an initial root password that is sufficiently hard (12 or more random characters is still pretty good at this point) it should survive port knocking long enough to ssh in, edit configs appropriately, and restart whatever services might need restarting (in the worst case of having to install from net without a firewall in the router).

I should note that the assumptions which led to advising against logging in as root are no longer considered as valid as they once were.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux