Joakim Tjernlund wrote:
> How is local root pw any different than domain pw? In your view remote
> root access is a big nono so sssd should also enforce no remote root
login in
> that case.
Yes, remote root password is a big no-no. Because it would be effective
on all
systems at once circumventing most security mechanisms.
You missed the point. You claim remote root is a nono yet you suggest to
login
remotely with local root pw.
I really appreciate sssd denying root completely. Most people concerned
about
security surely agree.
But it don't. sssd does not deny remote local root pw logins.
If you personally don't like this important aspect of sssd just use
something
else.
> You just said it: "best practice", not a law. In this context, sssd
> dictates policy
> and that is not sssd's call to make IMHO. You should encourage best
> practice though.
> One day we will get there but not today :)
It seems you don't have proper operational processes on your side to
handle
incidents and lock out your users from doing something bad. Then you
ask
for a
significant security relevant change in a widely used component. That
sucks.
But I don't. I just ask for the possibility choose. Let the default be as
is.
PS.
Please keep me on CC
Jocke
Ciao, Michael.