On Mon, 2019-04-15 at 20:42 -0600, Chris Murphy wrote:
On Mon, Apr 15, 2019 at 8:32 AM Martin Kolman
<mkolman(a)redhat.com> wrote:
> On Fri, 2019-04-12 at 13:33 -0600, Chris Murphy wrote:
> > Hi,
> >
> > I ran into this "fun" hack
> >
https://news.ycombinator.com/item?id=19642554 and I'm wondering
> > whether it'd be a good idea for F31 to ship with:
> >
> > #AllowAgentForwarding no
> > #PasswordAuthentication no
> >
> > Cockpit provides an interface to add SSH public keys for a while now.
> > However the installer doesn't require creation of an admin user, it's
> > an option.
> This is not entirely correct. During a "normal" installation from network
or
> DVD Anaconda, both interactive and kickstart Anaconda does require to have one of:
> - a root user account with password set
> - a user in the wheel group
> If either of those is satisfied - or both - the installation can proceed.
I set a user without "Make this user administrator" checked, and also
went to root user and locked it, did not set a password. And the
installer allow installation to proceed and quits without error.
At the very least it would be nice if the installer made "Make this
user administrator" checked by default. But ideally I'd say check it,
and gray it out to indicate it's immutable. That user will be the
admin. It's inappropriate for root to be the admin.
This would be a major policy change, it is not something to just
randomly decide on a mailing list. (FWIW it would also break just about
all the openQA tests, which all set a root password during
installation, because that's much more straightforward than dealing
with sudo.)
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net