On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
> is, which is why ssh provides the option:
>
> AllowRoot without-password
Why would I want to enable that?
Because it's more secure than the default of allowing root logins with
password remotely. But forget it, it's not entirely ontopic, as I'd partially
misread what you'd said.
That is a choice I got in PAM, sssd offers no choice.
Still, I don't see how the above somehow documents sssd's
"no root login whatsoever" policy. The docs actually hints the
opposite:
filter_users, filter_groups (string)
Exclude certain users from being fetched from the sss NSS database. This
is particularly useful for system accounts. This option can also be set
per-domain or include fully-qualified names to filter only users from the
particular domain.
Default: root
This make me think I only have to add an empty filter_users to allow root
Sure, the documentation encouragages you to think you could disable it, and if
that's not the case, it's a flaw in the documentation.
Maybe you've got a point that sssd should allow this unusual setup.
jh
--
John Hodrien
Specialist IT and Unix, IT
Faculty of Engineering
0113 3435471
9.26 EC Stoner