able to login as root via ssh :-(
Don Russell
fedora at drussell.dnsalias.com
Tue Aug 8 21:20:16 UTC 2006
Les Mikesell wrote:
> On Tue, 2006-08-08 at 14:45 -0400, Robert Locke wrote:
>
>>> [snip]
>>>
>>>> In order for a remote system to be in a state that remote access is even
>>>> possible, there must be an OS already running. In order to install the
>>>> first OS, physical access to the box must be required. It has to be
>>>> physically connected etc. At the very least the power has to be turned
>>>> on.. it might then proceed to do a network install...
>>>>
>>>> At that first install time is when a second user id should be created....
>>>>
>>> Non-root users are creating doing firstboot, not during the install. If
>>> you aren't there to go through the firstboot process, you can't create any
>>> users other than via root.
>>>
>>> I don't recall off the top of my head what kickstart lets you do with
>>> respect to user creation. It is conceivable that using kickstart to do a
>>> PXE install will leave a headless machine with no way to access it except
>>> via a root ssh session.
>>>
>> Well, kickstart and/or the interactive install could tie you in to
>> various network directories like NIS or something LDAP based to give you
>> non-root users...
>>
>> But, of course, kickstart could add a user in a myriad of ways to the
>> local passwd/shadow/group files during the %post section like:
>> useradd -p encryptedpassword username
>>
>
> I'm not quite sure I see the point of this unless it is a
> checkbox item in someones theoretical 'best practices' list.
> How much of an install can you do as someone other than root?
It was exactly all this discussion I didn't want to get into...
apparently it's already been decided that root log in via ssh is allowed
by default.... fine, I can live with that.
What I WOULD like is an option in sshd_config then to tell me that's
allowed.... (like other info I get in Logwatch about ssh) then I can do
one of three things:
1 - turn off the option that warns me
2 - turn off root access via ssh
3 - see the warning every day. :-)
Bugzilla/RFE....
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201794 :-)
Let's see...
More information about the fedora-list
mailing list