F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Stephen John Smoogen smooge at gmail.com
Thu Jan 8 20:34:14 UTC 2015 

On 8 January 2015 at 11:52, Miloslav Trmač <mitr at redhat.com> wrote:

> > > > The only other approach I could see for the headless
> > > > servers would be mandating the enrollment in an identity domain at
> > > > installation time (such as to FreeIPA or Active Directory).
> > >
> > > And in this scenario we should absolutely disable PermitRootLogin.
> >
> > So that if you have issues with the connector, you have to reboot the
> > machine and be physically present to fix anything.
> >
> > Not really a grand plan IMO.
>
> Earlier in the discussions I was told that this is not really an issue: in
> production, about every server with remote access also has a KVM.
>     Mirek
>

I would say that whoever told you that was being way too optimistic

Just in Fedoraproject's 150 servers we have run into quite a few common
issues.

0) Every KVM requires Java. Some only work with java-1.4 or java-1.5 or
java6 or.. And the current Fedora version isn't supported. Java
implementation has quirks which sometimes repeat keys, skip keys, drop
keys, etc. Easy to figure out in regular commands, impossible with hidden
root passwords. Java implementation does not accept pasteing from
clipboard. Passwords longer than 8 characters end up being multiple
attempts.
1) System has KVM. KVM has decided not to work with client for some reason.
[bad connector, the KVM is taking a smoke break and will work after it has
been physically rebooted, etc]
2) System does not allow for KVM. It is serial only... repeat the above two
problems we run into KVM just replace with serial.
3) System is not connected to any KVM but uses off-line management (drac,
asm, imm, etc). Repeat 0/1 for those.

In most of the cases, we end up requiring someone to go to the system
physically and doing some initial work if we run into any of 0-3. Of course
that works great if you have a physical server. We virtualize most of our
servers which ends up with even more weird problems of trying to get
working.

This isn't just Fedora's systems.. I know of large clusters of boxes where
they have a 'monkey tender' whose job is pretty much going around all day
doing this for some system somewhere because KVM works 99% of the time and
when you have over 100 servers you end up with some percentage not working.



> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>



-- 
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150108/bb18086f/attachment.html>

More information about the devel mailing list