Hello,
I see more viable to resurrect a bug #89216 [1] and change a default
configuration (not only in fedora server) to
PermitRootLogin no
or at least prohibit-password. It can at least nudge for using better
workflows using sudo.
I did not have an energy to persuade this change during last years,
especially because there used to be such a huge pushback in the past.
If you wish to help me in this way, I would strongly appreciate this
change in OpenSSH.
SSH agent forwarding can be indeed dangerous, but only if the server
was already compromised (by running outdated system with privilege
escalation vulnerabilities).
Regards,
Jakub
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=89216
On Fri, 2019-04-12 at 13:33 -0600, Chris Murphy wrote:
Hi,
I ran into this "fun" hack
https://news.ycombinator.com/item?id=19642554 and I'm wondering
whether it'd be a good idea for F31 to ship with:
#AllowAgentForwarding no
#PasswordAuthentication no
Cockpit provides an interface to add SSH public keys for a while now.
However the installer doesn't require creation of an admin user, it's
an option.
Related to that, I'd like to see the installer:
a. Require creation of a non-root user with "Make this user
administrator" checked by default
b. Root user has "Lock root account" checked by default
When I check "lock root account" and return to the installation
overview, it shows for root user that logins are disabled, so it's
not
like the person doing the install has to go dig around for the fact
root user will be disabled. And they can easily uncheck it and set a
password.
Any thoughts?
--
Chris Murphy
_______________________________________________
server mailing list -- server(a)lists.fedoraproject.org
To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org --
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.