[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSHd



On 8/20/06, Stephen John Smoogen <smooge gmail com> wrote:
On 8/20/06, Kostas Georgiou <k georgiou imperial ac uk> wrote:
> On Sun, Aug 20, 2006 at 12:54:30PM +0200, Christian Rose wrote:
>
> > On 8/19/06, Arthur Pemberton <pemboa gmail com> wrote:
> > >Why does FC ship openssh with sshd allowing root logins? And are there
> > >any plans to preempt the now routine sshd weak password hunting bots?
> >
> > IIRC, the idea was that you should not end up with being locked out of
> > a remote system if that system's /home NFS mount was somehow screwed
> > up. With allowing root to log in, you could still fix a remote system
> > using NFS-mounted home directories.
>
> Not to mention that kerberos/ldap/nis/whatever might be down so user
> logins might not be available.
>
> In any case wouldn't it better to start using pam_access by default in
> system_auth and block root logins if you want there? I don't see why sshd
> should be treated differently than other tools in the system.
> Anaconda, authconfig can ask questions at install time like:
>  Allow root logins: [X] Local, [] Everywhere, [] By domain ..., etc.
>  Allow user logins: [] Local, [X] Everywhere, [] By domain ..., etc.
> and setup an access.conf file.
>

The best bet would be to create a system-config-sshd that could be run
during first boot if so needed. In most cases it is better to run
stuff in first-boot than in anaconda (where most people just seem to
hit enter.)

Would have to agree with that.


--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

--
fedora-devel-list mailing list
fedora-devel-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
To be updated...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]