On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > On 5/17/19 5:23 AM, Stephen Gallagher wrote: > > ...snip... > > > 3) Force Anaconda to require the creation of a non-root user that is a > > member of the `wheel` group, so that this user can be used to SSH in > > and administer the system. Essentially, remove the root user creation > > spoke as an option from the interactive install. > > So, this is basically the old cloud-init makes a user that can sudo to > root thing. Can anyone explain in small words how this is more secure? > This is not "force Anaconda to create a specific user", it's "the interactive dialog won't complete the installation without you selecting a non-root administrative user of your choice". It's more secure in that a non-well-known username is less prone to being vulnerable to automated attacks. > I mean, in this case the attacker would need to guess the username in > addition to the password (where in the cloud cause this is known), but > otherwise why not just keep root password access ? > Guessing the username is *hard*. It's not something an average script will do. It protects against casual attacks. Yes, it isn't necessarily helping against targeted attacks, but those are an entirely different ball of wax. > I always found that cloud default anoying and useless and haven't yet > seen a good argument to not do it. > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
