able to login as root via ssh :-(
Scot L. Harris
webid at cfl.rr.com
Tue Aug 8 20:48:17 UTC 2006
On Tue, 2006-08-08 at 14:18 -0500, Les Mikesell wrote:
> > > Non-root users are creating doing firstboot, not during the install. If
> > > you aren't there to go through the firstboot process, you can't create any
> > > users other than via root.
> > >
> > > I don't recall off the top of my head what kickstart lets you do with
> > > respect to user creation. It is conceivable that using kickstart to do a
> > > PXE install will leave a headless machine with no way to access it except
> > > via a root ssh session.
> >
> > Well, kickstart and/or the interactive install could tie you in to
> > various network directories like NIS or something LDAP based to give you
> > non-root users...
> >
> > But, of course, kickstart could add a user in a myriad of ways to the
> > local passwd/shadow/group files during the %post section like:
> > useradd -p encryptedpassword username
>
> I'm not quite sure I see the point of this unless it is a
> checkbox item in someones theoretical 'best practices' list.
> How much of an install can you do as someone other than root?
The issue if I recall correctly was that if you did a network install
there was no user account initially that could be used to log into the
remote system once the initial install had completed. So the admin
needed access as the root user to do the initial setup. That should
include creating a user account. Once that user account is created the
admin would use that account, disable root access, and use su or sudo to
admin the box after first logging in as that user.
It is a matter of getting the base level OS in place and having a
relatively secure box in the process that will allow the admin to get
access and apply patches and install required packages.
This issue only applies to those admins that perform network installs
and don't access the main console (headless systems) during the install
process. Could probably be considered a corner case but I think enough
people do this that disabling root access to ssh by default would cause
a major outcry.
More information about the fedora-list
mailing list