Joakim Tjernlund wrote:
> How is local root pw any different than domain pw? In your view remote
> root access is a big nono so sssd should also enforce no remote root
> that case.
Yes, remote root password is a big no-no. Because it would be effective
systems at once circumventing most security mechanisms.
You missed the point. You claim remote root is a nono yet you suggest to
remotely with local root pw.
I really appreciate sssd denying root completely. Most people concerned
security surely agree.
But it don't. sssd does not deny remote local root pw logins.
If you personally don't like this important aspect of sssd just use
> You just said it: "best practice", not a law. In this context, sssd
> dictates policy
> and that is not sssd's call to make IMHO. You should encourage best
> practice though.
> One day we will get there but not today :)
It seems you don't have proper operational processes on your side to
incidents and lock out your users from doing something bad. Then you
significant security relevant change in a widely used component. That
But I don't. I just ask for the possibility choose. Let the default be as
Please keep me on CC