Ya but everyone has to physically pop the dvd or usb drive into their computer and start
anaconda right? So surely they can just "useradd whoever" from the command line
or start sshd on their own when it comes to that. It doesn't make sense to me to have
a widely agreed upon unsafe sshd setting on by default just to accommodate the convenience
of a likely minority amount of users installing a headless server... especially
considering those advanced users are best able to start sshd on their own and configure
the firewall etc for their needs. At least when logging into gnome for the first time
they could popup a message saying "by the way you should probably change your
firewall unless you want to be hacked", if they really want to keep that option
Date: Thu, 19 May 2011 11:49:02 -0600
From: kevin(a)scrye.com
To: aragonx(a)dcsnow.com
Subject: Re: Default Fedora installation suffers from egregious configuration flaw
CC: security(a)lists.fedoraproject.org
On Thu, 19 May 2011 13:40:47 -0400
aragonx(a)dcsnow.com wrote:
Isn't that only part of the
solution? Why would we ever need to have PermitRootLogin to
true? My memory is a little rusty but I'm pretty sure the install
forces the creation of a user account.
No, it does at firstboot.
If you install a headless machine, you have no way to make a user
without logging in as root and making one.
I've never done a
headless install so I know nothing about how that works. However, we
shouldn't let a minority of installations compromise the security of
the majority. As someone has already pointed out, can't they have a
different spin to allow whatever they might need?
I think there are solutions to this, but they should be worked with the
anaconda folks, rather than here. ;)
Are there any
other services that are listening by default and allowed through the
firewall? I believe there should be none of either. However, I
have been called paranoid in the past. :)
Nope. Not on a default install anymore I don't think...
kevin
--
security mailing list
security(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/security