Security Changes For Fedora 9
David Pullman
dpullman at nist.gov
Mon Jan 7 17:59:57 UTC 2008
Tomas Hoger wrote:
> On Sat, 5 Jan 2008 14:57:44 -0700 Kevin Fenzi <kevin at tummy.com> wrote:
>
>> Well, as you say, you need to make sure we force the user to make a
>> regular account first, currently thats not being done. You can do a
>> new install and not create a user account.
>
> Problem is that you can not create unprivileged account in the
> installer, IIRC. You are asked whether you want to create normal user
> by firstboot, after system was rebooted. But that screen is usually
> not seen by users doing kickstart or vnc installation, as was pointed
> out by Tomas Mraz. So changing the default value to 'no' would mean
> that those users will have no way to log into newly installed systems
> (assuming those methods are frequently used for remote installs with
> no or limited physical access).
Please note that some installations, like ours, would not configure
local accounts at all, whether during Kickstart or manual install. We
use network accounts (LDAP), and we use ssh keys installed for root for
administration. So please don't say things like "you need to make sure
we force the user to make a regular account first", because that is not
always the case. Perhaps in a small office/home installation these are
good points, but not in larger installs with network authentication.
We have dozens and dozens of installs on a network used by researchers
and we reinstall often and use network authentication, etc.
If you are going to consider this sort of thing, please make sure there
is a switch somewhere so it doesn't break large site installations.
Thanks very much.
--
David Pullman
Systems Administrator
Manufacturing Engineering Laboratory
National Institute of Standards & Technology
Mail Stop 8203
100 Bureau Drive
Gaithersburg, MD 20899-8203
Tel: (301) 975-5385
Fax: (301) 926-3842
E-mail: david.pullman at nist.gov
More information about the Fedora-security-list
mailing list