I am not qualified to respond to the issue faced with headless machines as I have never had the need to do such myself (though this thread makes me want to give it a try) however, on a per user basis, I think it is safe to say that the majority of users do not utilize this method of installation, so maybe those who are in the know can devise a way to have root off by default. While the bots going around guess most usernames, they will always get 'root' and 'ftp' right on a standard install. At least 'ftp' has the nologin shell. Both easily allowing weak password, and having root able to remotely login by default seems to be leaving open a semi-obvious attack vector that need not be. Slightly off-topic however, we might consider banning the creation or remote login of the more commonly attacked usernames (not considering root as there is the previosly described problem). Peace. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
