On Tue, Jul 28, 2015 at 10:52:02AM -0600, Chris Murphy wrote: > > Oh! An alternative which avoids any file parsing or writing: add an > > "ssh-access" or similar group, configure default sshd_config with > > "AllowGroups ssh-access". (Could be a Workstation-only sshd_config.) > Maybe. Elsewhere I read that AllowUsers overrides AllowGroups. So as > soon as you have AllowUsers chris, it basically ignores AllowGroups > and only allows chris. But that's goofy if true. I think both goofy and true, but also not necessarily a problem - in fact, maybe actually it's exactly what we want, since it's a sort of "fail-secure" - it means that if someone wants to restrict to just certain users manually, they won't be surprised by AllowGroups overriding it. (I guess the remote-login switch code could _warn_ if this is detected in an existing config file. Or even just warn if the config file is not default.) > But my gut instinct is that sharing services UI should only be about > configuring those services. Whether I want them available or not on > certain networks is a function of my relative trust of the network I'm > connected to, and hence that's a heuristically automagically managed > firewalld thing. So I'd actually pull out the Networks UI out of each > of these rather than add it to Remote Login. I don't want to see such > configuration choices in two UIs. The Workstation WG people here seem to prefer the other way - this over configuring the relative trust per-network. Someone correct me if I'm wrong. :) -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
