F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Adam Williamson adamwill at fedoraproject.org
Wed Jan 14 21:13:45 UTC 2015 

On Wed, 2015-01-14 at 16:54 +0000, P J P wrote:
>    Hi,
> 
> > On Wednesday, 14 January 2015 8:01 PM, Simo Sorce wrote:
> > Ok, I state my opposition to without-password too inequivocably 
> > here. Mostly because it is just the same as 'no', given there is 
> > no way, in a regular install to seed a key into the root account.
> > 
> > Except you have no mechanism to inject a key at installation time,
> 
> 
>    Sure. Could you please elaborate how would you like this key to be
> injected into the 'root' account? Feature page does have a listed 
> workflow change:
> 
>   "Anaconda installer OR maybe OpenSSH package needs to create
>    initial set of authentication keys for 'root' user."
> 
> It'll help if you could add your details to the ether pad, for later 
> reference.

Still, you can't just invoke features into existence by describing 
them on a Change page. There needs to be a credible plan for actually 
*doing* that work, yet so far as I can tell, none of the anaconda 
developers is involved the Change proposal, nor has anyone said "I 
will write the code to make this work".

In a project like Fedora, it doesn't always work out well to do things 
the way this Change seems to be going: think of one change you want to 
do, write up a Change for it, realize that lots of other things would 
have to be done to make the change viable, and just write those things 
into the Change as bullet points, and assume that somehow they'll be 
made to happen if the change is approved.

Two other outcomes are more likely: 1) the Change will be rejected 
because FESCo is worried about whether the necessary work will 
actually get done, 2) the Change will get accepted but all the 
necessary work won't actually get done, and the Change will have to be 
backed out (wasting a lot of everyone's time), or the Change will go 
in broken and everyone loses.

Basically, when proposing a Change, you need to make sure that you 
have a plausible plan for all the necessary work to get done *ahead of 
time* - i.e. you need actual people who have said "yes, I will do this 
work, and I can believably commit to having it done in time". It 
doesn't work, normally, to draw up a Change which requires work to be 
done, then expect that you can get the Change accepted and resources 
will somehow transpire to do the work.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

More information about the devel mailing list