F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Miloslav Trmač
mitr at redhat.com
Wed Jan 14 17:34:22 UTC 2015
> On Wed, 14 Jan 2015 16:54:09 +0000 (UTC)
> P J P <pj.pandit at yahoo.co.in> wrote:
> > > On Wednesday, 14 January 2015 8:01 PM, Simo Sorce wrote:
> > > Ok, I state my opposition to without-password too inequivocably
> > > here. Mostly because it is just the same as 'no', given there is no
> > > way, in a regular install to seed a key into the root account.
> > >
> > > Except you have no mechanism to inject a key at installation time,
> >
> > Sure. Could you please elaborate how would you like this key to be
> > injected into the 'root' account? Feature page does have a listed
> > workflow change:
> >
> > "Anaconda installer OR maybe OpenSSH package needs to create
> > initial set of authentication keys for 'root' user."
That’s not how, to my knowledge, ssh keys are usually deployed; there is one private key per user (or, for the paranoid, one private key per client machine / user’s home directory), not one private key per the server one is connecting to. And creating a key does not really solve the problem: how do the administrators get the key so that they can connect?
> > I'd request all(those who are opposing) too describe their
> > requirements in the etherpad page above.
>
> Being able to authenticate as root right after installation would be
> the requirement for me.
Let’s be precise here; “able to authenticate as root” is an implementation detail; the underlying requirement is something else. “Able to set up IPA”? “Able to run administrative commands in shell?” (e.g. we could just, as a part of firstboot, open a root shell without any authentication ☺ ).
Mirek
More information about the devel
mailing list