Hi,
On 5/17/21 2:26 PM, Martin Kolman wrote:
On Sat, 2021-05-15 at 17:53 +0200, Ralf Corsepius wrote:
On 5/14/21 2:50 PM, Martin Kolman wrote:
On Thu, 2021-05-13 at 20:09 +0200, Peter Boy wrote:
We discussed that in the Fedora Server Edition Working Group and
opted to leave it as is for the Server installation iso. A lot of
servers are running in a protected environment. And there are
situations when you need urgent access but do not sit at your
desktop
and don’t have the key available. So let the server admin decide
what
is best in a given installation context. In most cases it is the
current default (disallow password login)
Do those server deployments not have any users accounts other than
root
? Creating a non-root user account, possibly with admin rights (all
possible from within Anaconda) would seem like a safer option for
accasional/emergency password based access to such machines over
SSH.
I don't see, how this would any safer than directly using "root".
As far as I understand the original change in upstream OpenSSH it's
about only having to remotely guess a password to gain access to the
root account.
In comparison to remotely attack a user account you need to guess both
the user name *and* password, making the potential search space quite a
bit larger (provided the user name is reasonably unique).
So presumably, its a problem for which a single additional bit of
password entropy provides more security.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
