[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libosinfo] [PATCH] fedora,script: Allow passwordless SSH



Hi,

On Fri, Apr 22, 2016 at 1:28 PM, Daniel P. Berrange <berrange redhat com> wrote:
> On Fri, Apr 22, 2016 at 01:17:24PM +0100, Zeeshan Ali (Khattak) wrote:
>> HI Daniel,
>>
>> On Fri, Apr 22, 2016 at 1:00 PM, Daniel P. Berrange <berrange redhat com> wrote:
>> > On Fri, Apr 22, 2016 at 12:58:40PM +0100, Zeeshan Ali (Khattak) wrote:
>> >> If either user or admin accounts are passwordless, configure SSH server
>> >> to allow empty passwords so these accounts can login through SSH.
>> >> ---
>> >>  .../fedoraproject.org/fedora-kickstart-desktop.xml.in               | 6 ++++++
>> >>  1 file changed, 6 insertions(+)
>> >
>> > Do we really want todo this. IMHO apps should be enforcing a
>> > non-zero length password for the accounts created by install
>> > scripts.  Configuring password-less ssh is madness given the
>> > modern hostile network environments, even on intranets.
>>
>> Well without this patch, there is no way of SSHing into the guest if
>> user/app chooses to have no password. Currently that is the default in
>> Boxes but maybe Boxes should warn about it being unsecure but I think
>> if user want passwordless machine, that is precisely what they should
>> get.
>
> IMHO it is irresponsible to configure VMs to allow network based
> access with zero authentication. The only valid case where I can
> see having no password is if you have instead injected an SSH
> public key to allow key based login access. So rather than this
> patch to modify the SSH server to turn off all auth, how about
> adding config parameter to associate an SSH public key with
> the user account.

Yeah, i guess that makes sense even though a lot more work. :)

-- 
Regards,

Zeeshan Ali (Khattak)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]