Re: Another Fedora decision

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 4 February 2015 at 02:17, James B. Byrne <byrnejb@xxxxxxxxxxxxx> wrote:
> I think it well to recall that the change which instigated this
> tempest was not to the network operations of a RHEL based system but
> to the 'INSTALLER' process, Anaconda.  Now, I might be off base on
> this but really, ask yourself: Who exactly uses an installer program?
> And what is the threat model being addressed by requiring that the
> installer set a suitably strong password for root?  For what purpose?
> Because RHEL sets the sshd on and allows root access over ssh via
> password by default?  Then is not the correct approach to disable that
> access instead?

Good points.

Consider a user who installs RHEL with a poor root password and
reboots while connected to the internet.  At that point they are
potentially vulnerable.  How long will it take for them to get around
to improving the password?  Probably a long time, unless they are
security conscious, in which case they probably would have opted for a
strong password from the start.

Not allowing root ssh access immediately after an install is a much
bigger imposition.  You would have to insist that there was a second
user on the system with a strong password.  I think that is a good
idea too, by the way.

Requiring a strong root password really is a small imposition, unless
you are doing a lot of manual installs and in which case you should
look into automation.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux