On 8/20/06, Stephen John Smoogen <smooge@xxxxxxxxx> wrote:
On 8/20/06, Kostas Georgiou <k.georgiou@xxxxxxxxxxxxxx> wrote: > On Sun, Aug 20, 2006 at 12:54:30PM +0200, Christian Rose wrote: > > > On 8/19/06, Arthur Pemberton <pemboa@xxxxxxxxx> wrote: > > >Why does FC ship openssh with sshd allowing root logins? And are there > > >any plans to preempt the now routine sshd weak password hunting bots? > > > > IIRC, the idea was that you should not end up with being locked out of > > a remote system if that system's /home NFS mount was somehow screwed > > up. With allowing root to log in, you could still fix a remote system > > using NFS-mounted home directories. > > Not to mention that kerberos/ldap/nis/whatever might be down so user > logins might not be available. > > In any case wouldn't it better to start using pam_access by default in > system_auth and block root logins if you want there? I don't see why sshd > should be treated differently than other tools in the system. > Anaconda, authconfig can ask questions at install time like: > Allow root logins: [X] Local, [] Everywhere, [] By domain ..., etc. > Allow user logins: [] Local, [X] Everywhere, [] By domain ..., etc. > and setup an access.conf file. > The best bet would be to create a system-config-sshd that could be run during first boot if so needed. In most cases it is better to run stuff in first-boot than in anaconda (where most people just seem to hit enter.)
Would have to agree with that.
-- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
-- To be updated... -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
