Abotu setting 'PermitRootLogin=no' in sshd_config
Nico Kadel-Garcia
nkadel at gmail.com
Thu Nov 27 04:40:02 UTC 2014
On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit <i.grok at comcast.net> wrote:
> On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote:
>> On Sat, 22 Nov 2014 08:24:32 +0000 (UTC) P J P wrote:
>> > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote:
>> > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote:
>> > >> The latter. We have to install authorized_keys inside the VM
>> > >> anyway, so we can touch sshd_config, too.
>> > >
>> > > Virt-builder has a new '--ssh-inject' feature (in F22 only).
>> > >
>> > > $ virt-builder fedora-20 --ssh-inject root
>> > >
>> > > would inject your current ssh key into the root account of the new
>> > > VM. There are other variations, including ways to create a non-root
>> > > user account, see:
>> > >
>> > > http://libguestfs.org/virt-builder.1.html
>> >
>> > Excellent! :)
>> >
>> > So far the consensus seem that it is okay to reverse the current
>> > default and set PermitRootLogin=no. I'll talk to the upstream
>> > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba).
>> >
>> > Thank you.
>>
>> We can install machine w/o user accounts, removing the ability to log
>> in as root via ssh means those machines will not be accessible.
>>
>> If you want to remove root access that should be conditionally done at
>> firstboot only if a user account was created.
>
> It seems to me that we could tweak this somewhat: "only if a user
> account was created OR remote users have been configured"
And in months that start with the letter "q", but not odd numbed
weekdays, and if I ate a tuna fish sandwich for lunch, but not if I'm
wearing white socks, and only on alternate years with a prime number,
etc, etc., etc.
Look, this is a basic system configuration. It's not "Cripple Mr.
Onion". Pick *one* setting, and let people know from that whether
they'll need to manipulate their local environments for their
particular subtle needs.
And for those who don't read Terry Pratchett stories,
http://discworld.wikia.com/wiki/Cripple_Mr_Onion
More information about the devel
mailing list