>>>>> The only other approach I could see for the headless >>>>> servers would be mandating the enrollment in an identity domain at >>>>> installation time (such as to FreeIPA or Active Directory). >>>> >>>> >>>> And in this scenario we should absolutely disable PermitRootLogin. >>> >>> >>> So that if you have issues with the connector, you have to reboot the >>> machine and be physically present to fix anything. >>> >>> Not really a grand plan IMO. >> >> >> Earlier in the discussions I was told that this is not really an issue: in >> production, about every server with remote access also has a KVM. > > > > Often not the case in small business or third party hosted environments. > Without remote ssh, box is unmanageable. > > Even if you want to do key-based authentication rather than password, you > still need to use password initially to get the key onto the remote box. If you use cloud-init you can specify an initial public key that it inserts against, or even auto enrol it in a central auth system like IPA and hence not ever need a password. Peter -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
