On Sat, 2021-05-01 at 08:32 +0200, Peter Boy wrote: > > > > Am 29.04.2021 um 22:09 schrieb Martin Kolman <mkolman@xxxxxxxxxx>: > > > > Hi! > > At the moment the Anaconda installer used by Fedora contains an > > option > > called "Allow SSH root login with password" on the root password > > configuration screen. > > ... > > Note that the checkbox is not ticked by default, the user needs to > > make > > a conscious choice to allow this security problematic SSH login > > behavior. > > ... > > good time to finally drop the "Allow SSH root login with password" > > from > > the Anaconda GUI. > > I greatly appreciate Fedora's emphasis on establishing the most secure > system possible by default. It was one of my reasons to choose Fedora, > years ago. > > But what makes the Anaconda team think that the system administrator > could activate the option for no good reason, just for fun, > recklessness or the joy of 'adventure'? > > I don't mean to be unkind, but in my view you are about to patronize > the system administrator in a kind of missionary overzealousness. But > reading Fedora vision, Fedora is about Freedom, another good reason to > decide for it. Actually, it's the other way around - we believe in the administrator being a professional who can easily an on override via a kickstart if really needed, such as one described here: https://anaconda-installer.readthedocs.io/en/latest/common-bugs.html#enabling-root-password-ssh-login-via-password > > > If you are aware of some critical Fedora/Fedora spin usecase that > > depends on users regularly ticking this option, please let us know! > > No system administrator will 'regularly' ticking that option! That is > an unrealistic assumption. It is reserved for special exceptions > (that's why it is off by default). Others have already described such > cases. > > At the very least, I am in favor of leaving the option in the Server > Edition as it is. The option is currently not parametric in any way, but we do have per product/variant configuration files that encode differences from the Fedora baseline, such as the XFS based default partitioning for the Fedora Server variant: https://github.com/rhinstaller/anaconda/blob/master/data/product.d/fedora-server.conf#L14 So if consensus is reached for keeping the option available on Fedora Server variant only (ideally ACKEd by the Fedora Server SIG) it would be possible to show the option only in the Fedora Server installer variant, at the cost of some added code complexity. > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
