Isn't the issue always the same?
Namely network installs that need ability to log in as root+password
until further setup can be done?
It'd be nice if there were a way to automatically determine that
another form of login is possible, and disable password only if that's
certain ...
Simo.
On Mon, 2019-04-15 at 14:20 +0200, Jakub Jelen wrote:
Hello,
I see more viable to resurrect a bug #89216 [1] and change a default
configuration (not only in fedora server) to
PermitRootLogin no
or at least prohibit-password. It can at least nudge for using better
workflows using sudo.
I did not have an energy to persuade this change during last years,
especially because there used to be such a huge pushback in the past.
If you wish to help me in this way, I would strongly appreciate this
change in OpenSSH.
SSH agent forwarding can be indeed dangerous, but only if the server
was already compromised (by running outdated system with privilege
escalation vulnerabilities).
Regards,
Jakub
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=89216
On Fri, 2019-04-12 at 13:33 -0600, Chris Murphy wrote:
> Hi,
>
> I ran into this "fun" hack
>
https://news.ycombinator.com/item?id=19642554 and I'm wondering
> whether it'd be a good idea for F31 to ship with:
>
> #AllowAgentForwarding no
> #PasswordAuthentication no
>
> Cockpit provides an interface to add SSH public keys for a while now.
> However the installer doesn't require creation of an admin user, it's
> an option.
>
> Related to that, I'd like to see the installer:
> a. Require creation of a non-root user with "Make this user
> administrator" checked by default
> b. Root user has "Lock root account" checked by default
>
> When I check "lock root account" and return to the installation
> overview, it shows for root user that logins are disabled, so it's
> not
> like the person doing the install has to go dig around for the fact
> root user will be disabled. And they can easily uncheck it and set a
> password.
>
> Any thoughts?
>
> --
> Chris Murphy
> _______________________________________________
> server mailing list -- server(a)lists.fedoraproject.org
> To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.
_______________________________________________
server mailing list -- server(a)lists.fedoraproject.org
To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc