On Mon, 2019-04-15 at 16:31 +0200, Martin Kolman wrote:
On Fri, 2019-04-12 at 13:33 -0600, Chris Murphy wrote:
> Hi,
>
> I ran into this "fun" hack
>
https://news.ycombinator.com/item?id=19642554 and I'm wondering
> whether it'd be a good idea for F31 to ship with:
>
> #AllowAgentForwarding no
> #PasswordAuthentication no
>
> Cockpit provides an interface to add SSH public keys for a while now.
> However the installer doesn't require creation of an admin user, it's
> an option.
This is not entirely correct. During a "normal" installation from network or
DVD Anaconda, both interactive and kickstart Anaconda does require to have one of:
- a root user account with password set
- a user in the wheel group
If either of those is satisfied - or both - the installation can proceed.
Note that this does not check for the root/user account being locked. Apparently
Anaconda is just fine with a system that only has a root account with password set,
which is locked. I guess this could still be considered fine for some use cases ?
It is only in the special case od the live installation that we allow the installation
to proceed without the above condition (root with password/user in wheel group),
due to the root and user configuration spokes being disabled.
A slight correct, I
mean the Fedora Workstation live. The other Fedora live spins AFAIK
have the root & user configuration screens.
> Related to that, I'd like to see the installer:
> a. Require creation of a non-root user with "Make this user
> administrator" checked by default
> b. Root user has "Lock root account" checked by default
>
> When I check "lock root account" and return to the installation
> overview, it shows for root user that logins are disabled, so it's not
> like the person doing the install has to go dig around for the fact
> root user will be disabled. And they can easily uncheck it and set a
> password.
>
> Any thoughts?
>
> --
> Chris Murphy
> _______________________________________________
> server mailing list -- server(a)lists.fedoraproject.org
> To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org
_______________________________________________
server mailing list -- server(a)lists.fedoraproject.org
To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org