On 5/13/21 9:45 AM, Simo Sorce wrote: > On Wed, 2021-05-12 at 16:35 -0400, Ben Cotton wrote: >> == Benefit to Fedora == >> This change makes the Fedora systems installed by Anaconda more secure >> from remote password guessing attacks targeting the root account as it >> would no longer be possible to configure a system that allows root to >> login via SSH with password. >> >> A smaller benefit is making the root password configuration screen >> less confusing by removing the "Allow SSH root login with password" & >> Anaconda code cleanup related removing code related to setting up the >> override in sshd. > To be honest I object to this characterization. > > There is no added security given the default is not changed. This only > removes a valid option that users that install images for testing > locally on their computer use. It just makes it harder but does not > change the security of Fedora one yota, as uses can still log in after > install and re-enable root login with passwords, or use a kickstart > file to do the same. > > If this is being done because maintaining the option for Anaconda > developers then just say that. Otherwise do not do this change and let > people that need it for convenience have it. > > Simo. > This will be a major PITA for me as well. Most of my machines are internal facing only and are VMs. There are lots of ways to provision a host; kickstarts being just one. I made a commitment to using Puppet instead because it enforces a setup thereafter, not just at install time. The same would be true with Ansible or any other of this ilk. I can't/won't have a local user account until Puppet is run because that's all achieved with NFS, LDAP and Kerberos -- things I don't want to try and achieve or replicate in a kickstart. Sure, I could have a kickstart install/start Puppet, but it's MUCH easier to check this one box than it is to enter in a long URL where a kickstart can be reached. In the end, my SSH config will still be more hardened than what would be achieved by removing this checkbox. John Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
