Am 17.12.2014 um 17:05 schrieb P J P:
> On Tuesday, 16 December 2014 10:57 PM, Simo Sorce wrote:
> The thing need to be done during install, my servers boot unattended.
> No the key-word here is "easily", which is misguided.
> It is not *easy* to have to jump through hoops to get a KVM/spice
> connection to log in through the console to then go and change an
> option.
>
> It is not easy and it is not automatable, so you break a ton of
> deployment/qa/automation scripts people rely on.
Sure, I agree. I'm not sure how these VM images are created and deployed,
but there must be some way to handle such cases,
ex ->
https://lists.fedoraproject.org/pipermail/devel/2014-November/204663.html
As said before, intention is not to break things too rough and bother users.
But to make things secure while keeping them usable. If they are not usable,
what good is that security?
Anaconda should just ask for sshd yes/no with defaults to no and in that
case not enable the service at all
* forcing me to create a non-root user is a nogo
there are machines where you never connect except for admin tasks
* "PermitRootLogin no" is idiotic in any case because the safe setting
"PermitRootLogin without-password" exists and enforces a private key
while there is no public key without generate and install it
* well, and you need a first time root login with password to
import such a key and then disable password login
hence just don't enable the service on each and every machine and ask
the user if he needs a ssh server at install time - i know, in times
where it's not popular to ask a user for anything not likely to happen
what will not work is magically guess the users intention and provide
secure defaults at the same time, not now and not in the future
*ask users* and default to *no* because if someone say "yes" by
intention it's his own responsibility to secure it
and *do not* touch existing configurations, never, in no context
i have seen networks going down because stupid named-maintainers decided
to mangle "named.conf" by add dnssec options unasked with regular yum
updates