On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit <i.grok@xxxxxxxxxxx> wrote: > On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote: >> On Sat, 22 Nov 2014 08:24:32 +0000 (UTC) P J P wrote: >> > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote: >> > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: >> > >> The latter. We have to install authorized_keys inside the VM >> > >> anyway, so we can touch sshd_config, too. >> > > >> > > Virt-builder has a new '--ssh-inject' feature (in F22 only). >> > > >> > > $ virt-builder fedora-20 --ssh-inject root >> > > >> > > would inject your current ssh key into the root account of the new >> > > VM. There are other variations, including ways to create a non-root >> > > user account, see: >> > > >> > > http://libguestfs.org/virt-builder.1.html >> > >> > Excellent! :) >> > >> > So far the consensus seem that it is okay to reverse the current >> > default and set PermitRootLogin=no. I'll talk to the upstream >> > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba). >> > >> > Thank you. >> >> We can install machine w/o user accounts, removing the ability to log >> in as root via ssh means those machines will not be accessible. >> >> If you want to remove root access that should be conditionally done at >> firstboot only if a user account was created. > > It seems to me that we could tweak this somewhat: "only if a user > account was created OR remote users have been configured" And in months that start with the letter "q", but not odd numbed weekdays, and if I ate a tuna fish sandwich for lunch, but not if I'm wearing white socks, and only on alternate years with a prime number, etc, etc., etc. Look, this is a basic system configuration. It's not "Cripple Mr. Onion". Pick *one* setting, and let people know from that whether they'll need to manipulate their local environments for their particular subtle needs. And for those who don't read Terry Pratchett stories, http://discworld.wikia.com/wiki/Cripple_Mr_Onion -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
