Re: Fedora 31 System-Wide Change proposal: Disable Root Password Login in SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/19/19 10:53 AM, Nico Kadel-Garcia wrote:
> On Sun, May 19, 2019 at 12:14 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>> In cloud-init land, the user can set a password by using their "sudo"
> privileges, and can set it for the "root" user and for the "ec2puser"
> or other cloud user. I don't think that Fedora should try to outsmart
> all the different use cased cases for cloud deployment by selecting
> sshd_config.

Sure, I wasn't suggesting we change the cloud case by messing with
sshd_config. I was suggesting we stop making a 'fedora' non-root user,
but I guess I should just go back to grumbling and repoint the thread to
the topic at hand.

> ...snip...
>> As noted, the cloud-init case has no passwords, only keys.
> 
> You forgot "ec2puser".

let me rephrase: By default out of the box, our Fedora Cloud images have
no passwords, only keys for access. You can of course change this after
the fact in any number of ways.

>> If I am using ssh keys, I don't care about people trying to brute force
>> passwords. Forcing the root account closed and having to use a 'user'
>> account to login and sudo just seems like a pointless hoop.
> 
> It provides tracking of which user's credentials have been abused.

No it does not. Once the abuser logs in and does sudo to root, all local
tracking is now useless and suspect. The abuser can erase/tamper/change
any logs you might look at later. By default there's no remote logging
or the like in Fedora Cloud.

>> root account with key -> login as root with key
>> user account with key / root locked -> login as user, sudo
>>
>> Thats another shell running, another sudo process, etc.
> 
> Yes, and for precisely the reasons above.

Which reasons? I'm afraid I still don't see anything compelling.

Anyhow, sorry for hyjacking the thread away from the topic to
cloud-init. :( I'll stop now. :)

kevin

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux