On Thu, 2015-01-08 at 08:48 -0500, Chuck Anderson wrote: > On Thu, Jan 08, 2015 at 08:43:48AM -0500, Stephen Gallagher wrote: > > Can we clarify something here? Is this a request to change the defaults > > globally for all Products/nonproduct installs? > > > > I would argue that it could be sensible to do this for Workstation and > > non-product installs, but not for Server and Cloud. > > > > In the Server case, nearly every deployment is headless. Disabling root > > login to ssh by default would mean that many people would have no way to > > get into the system at all. (Yes, we could force the creation of a > > non-root user at install time, but this user would by necessity be an > > administrator capable of becoming root via sudo, so the distinction > > is... fuzzy). The only other approach I could see for the headless > > servers would be mandating the enrollment in an identity domain at > > installation time (such as to FreeIPA or Active Directory). > > Having a non-root account with sudo is already more secure because the > attacker would have to guess the username in addition to the password. > That's a perfect example of "security through obscurity". You are making the false assumption that just because the username isn't 'root', it is somehow difficult to identify. I'll grant you, this will make it harder for a simple automated script-kiddie to get in, but it won't hamper a targeted attack very much. > > Neither of those approaches is anything like ideal, so I would argue > > that Server should continue to operate with the SSH root login being > > available by default, but perhaps add documentation to the install guide > > recommending to disable it if other accounts are available; perhaps even > > by adding a simple kickstart directive (but no UI element) to accomplish > > this. > > I disagree. I think requiring a non-root account w/Admin to be > created is the best way to go. That is functionally equivalent to a root account. Once the user has the password, they will just use 'sudo' with that same password. The battle has been lost. The *only* change that this effects is to add some guesswork to the username.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
