[Libosinfo] [PATCH] fedora,script: Allow passwordless SSH
Zeeshan Ali (Khattak)
zeeshanak at gnome.org
Fri Apr 22 12:48:53 UTC 2016
Hi,
On Fri, Apr 22, 2016 at 1:28 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Fri, Apr 22, 2016 at 01:17:24PM +0100, Zeeshan Ali (Khattak) wrote:
>> HI Daniel,
>>
>> On Fri, Apr 22, 2016 at 1:00 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
>> > On Fri, Apr 22, 2016 at 12:58:40PM +0100, Zeeshan Ali (Khattak) wrote:
>> >> If either user or admin accounts are passwordless, configure SSH server
>> >> to allow empty passwords so these accounts can login through SSH.
>> >> ---
>> >> .../fedoraproject.org/fedora-kickstart-desktop.xml.in | 6 ++++++
>> >> 1 file changed, 6 insertions(+)
>> >
>> > Do we really want todo this. IMHO apps should be enforcing a
>> > non-zero length password for the accounts created by install
>> > scripts. Configuring password-less ssh is madness given the
>> > modern hostile network environments, even on intranets.
>>
>> Well without this patch, there is no way of SSHing into the guest if
>> user/app chooses to have no password. Currently that is the default in
>> Boxes but maybe Boxes should warn about it being unsecure but I think
>> if user want passwordless machine, that is precisely what they should
>> get.
>
> IMHO it is irresponsible to configure VMs to allow network based
> access with zero authentication. The only valid case where I can
> see having no password is if you have instead injected an SSH
> public key to allow key based login access. So rather than this
> patch to modify the SSH server to turn off all auth, how about
> adding config parameter to associate an SSH public key with
> the user account.
Yeah, i guess that makes sense even though a lot more work. :)
--
Regards,
Zeeshan Ali (Khattak)
More information about the Libosinfo
mailing list