F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Peter Robinson
pbrobinson at gmail.com
Sun Jan 11 08:57:18 UTC 2015
>>>>> The only other approach I could see for the headless
>>>>> servers would be mandating the enrollment in an identity domain at
>>>>> installation time (such as to FreeIPA or Active Directory).
>>>>
>>>>
>>>> And in this scenario we should absolutely disable PermitRootLogin.
>>>
>>>
>>> So that if you have issues with the connector, you have to reboot the
>>> machine and be physically present to fix anything.
>>>
>>> Not really a grand plan IMO.
>>
>>
>> Earlier in the discussions I was told that this is not really an issue: in
>> production, about every server with remote access also has a KVM.
>
>
>
> Often not the case in small business or third party hosted environments.
> Without remote ssh, box is unmanageable.
>
> Even if you want to do key-based authentication rather than password, you
> still need to use password initially to get the key onto the remote box.
If you use cloud-init you can specify an initial public key that it
inserts against, or even auto enrol it in a central auth system like
IPA and hence not ever need a password.
Peter
More information about the devel
mailing list