2014-04-02 20:12 GMT+02:00 Simo Sorce <simo@xxxxxxxxxx>:
I often install machines with root only as my users are all in myOn Wed, 2014-04-02 at 09:12 -0700, quickbooks office wrote:
> [CHANGE PROPOSAL] The securetty file is empty by default
>
> All the info has been sitting here @
> https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default
FreeIPA/LDAP server and I expect to be able to login as root on the
console for maintenance purposes.
This change makes it very hard to do necessary maintenance. I can
understand blocking SSH login as root with password by default, but I do
not understand what is the point of blocking console login as root.
In larger organizations there is a legitimate need to be able to attribute every action as "root" to a specific individual, which is easiest to do by requiring a login from a non-root account to establish the session, and then tracking actions done by that session. OTOH this all works reliably enough only with a non-default auditing setup, so restricting root logins by default is alone not at all sufficient.
Please explain the logic of blocking console logins but allowing SSH
logins, it is completely backwards.
Of the various problems with the proposal[1], this one seems the easiest to fix :)
Mirek
Mirek
[1] I'm not listing them here; I'd much rather have the Change officially announced and have the official comment period, instead of starting a tradition of pre-announcements.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
