Re: F22 System Wide Change: Set sshd(8) PermitRootLogin=no

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 8 January 2015 at 11:52, Miloslav Trmač <mitr@xxxxxxxxxx> wrote:
> > > The only other approach I could see for the headless
> > > servers would be mandating the enrollment in an identity domain at
> > > installation time (such as to FreeIPA or Active Directory).
> >
> > And in this scenario we should absolutely disable PermitRootLogin.
>
> So that if you have issues with the connector, you have to reboot the
> machine and be physically present to fix anything.
>
> Not really a grand plan IMO.

Earlier in the discussions I was told that this is not really an issue: in production, about every server with remote access also has a KVM.
    Mirek

I would say that whoever told you that was being way too optimistic

Just in Fedoraproject's 150 servers we have run into quite a few common issues.

0) Every KVM requires Java. Some only work with java-1.4 or java-1.5 or java6 or.. And the current Fedora version isn't supported. Java implementation has quirks which sometimes repeat keys, skip keys, drop keys, etc. Easy to figure out in regular commands, impossible with hidden root passwords. Java implementation does not accept pasteing from clipboard. Passwords longer than 8 characters end up being multiple attempts.
1) System has KVM. KVM has decided not to work with client for some reason. [bad connector, the KVM is taking a smoke break and will work after it has been physically rebooted, etc]
2) System does not allow for KVM. It is serial only... repeat the above two problems we run into KVM just replace with serial.
3) System is not connected to any KVM but uses off-line management (drac, asm, imm, etc). Repeat 0/1 for those.

In most of the cases, we end up requiring someone to go to the system physically and doing some initial work if we run into any of 0-3. Of course that works great if you have a physical server. We virtualize most of our servers which ends up with even more weird problems of trying to get working.

This isn't just Fedora's systems.. I know of large clusters of boxes where they have a 'monkey tender' whose job is pretty much going around all day doing this for some system somewhere because KVM works 99% of the time and when you have over 100 servers you end up with some percentage not working. 

 



--
Stephen J Smoogen.

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux