Once upon a time, Stephen John Smoogen <smooge@gmail.com> said:
> So a lot of sites have set up that you remotely kickstart a system and then
> ansible in as root with the rest of the configurations. It is the biggest
> reason we have been keeping this as active for a long time. You are
> breaking all those configs with a 'oh you can just login on a local
> console'. That kickstart may not have any of that.. and the last thing a
> sysadmin wants when they are building 4000 nodes somewhere is find out that
> they need to add another 20 steps to their post..
Well, I'd assume before building 4000 nodes, they'd test the kickstart
(I test mine extensively on VMs before using on a real box). It isn't
"another 20 steps" - either a sed one-liner to allow root or a mkdir and
a echo to add an SSH key (which you'd probably do anyway if you're doing
the rest with Ansible).
Look its Friday. I don't drink, I don't smoke, and I am trying to cut swearing. All that leaves me is a nice can of hyperbole.
You are right, 1-4 lines is what might be needed to do things.
> Make it a predefined kickstart thing they can do so all they have to do is
> add a line in it that says
>
> ssh_remote --user=<account> --keyfile=<url> --yesIwantrootandIknowitsbad
If this is the desired path, I'd go with a couple of additional
arguments to existing directives:
--enablerootssh (for rootpw or maybe auth?)
--sshkey (for both rootpw and user directives)
Yeah.. --sshkey is a better name than --keyfile
and --enablerootssh is better than --yesIwantrootandIknowitsbad
No matter if this proposal is done, having an --sshkey option would be
nice, especially for Ansible use.
I think this OpenSSH change to follow upstream (and many other OS)
config is a good and overdue thing.
I am not disagreeing... but having been the person to do such security changes in the past.. it usually pisses of the people deploying the software enough to jump to something completely different. It always gets taken as 'You are more worried about security than usability' and a general feeling of disrespect to the sysadmins stuck with coming up with the change have 0 time to actually do that work. After 30+ years of being a security jerk.. I am just trying to say 'look people we can do better. if someone needs to get this done.. we should at least make it easier for them to do so in way that is clear to an auditor later.' [Ah there goes another can of hyperbole.. ]
--
Chris Adams <linux@cmadams.net>
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org