----- Original Message -----
On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit i.grok@comcast.net wrote:
On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote:
On Sat, 22 Nov 2014 08:24:32 +0000 (UTC) P J P wrote:
On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote:
On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: The latter. We have to install authorized_keys inside the VM anyway, so we can touch sshd_config, too.
Virt-builder has a new '--ssh-inject' feature (in F22 only).
$ virt-builder fedora-20 --ssh-inject root
would inject your current ssh key into the root account of the new VM. There are other variations, including ways to create a non-root user account, see:
Excellent! :)
So far the consensus seem that it is okay to reverse the current default and set PermitRootLogin=no. I'll talk to the upstream maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba).
Thank you.
We can install machine w/o user accounts, removing the ability to log in as root via ssh means those machines will not be accessible.
If you want to remove root access that should be conditionally done at firstboot only if a user account was created.
It seems to me that we could tweak this somewhat: "only if a user account was created OR remote users have been configured"
And in months that start with the letter "q", but not odd numbed weekdays, and if I ate a tuna fish sandwich for lunch, but not if I'm wearing white socks, and only on alternate years with a prime number, etc, etc., etc.
Look, this is a basic system configuration. It's not "Cripple Mr. Onion". Pick *one* setting, and let people know from that whether they'll need to manipulate their local environments for their particular subtle needs.
And for those who don't read Terry Pratchett stories, http://discworld.wikia.com/wiki/Cripple_Mr_Onion
Exactly! The more I think about this Change the more I am having an opinion that we should reject it altogether. In fact this change does not really bring any real security improvement because for the Workstation the sshd is already disabled completely by default and for the other products the people who are installing them can be expected to know what they are doing.
Also disabling root access does not improve security against targeted attacks because in such cases the user name can be quite easily inferred. So basically this feature is just a 'marketing' improvement and not worth the hassle.
Tomas Mraz