F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Przemek Klosowski
przemek.klosowski at nist.gov
Mon Jan 12 22:48:01 UTC 2015
First of all, I agree with you that PermitRootLogin without-password is
preferable.
The discussion I am interested in is whether direct password root login
should remain enabled.
On 01/12/2015 10:02 AM, Paul Wouters wrote:
> On Mon, 12 Jan 2015, Przemek Klosowski wrote:
>
>> - improves accountability for administrative actions (we know which
>> admin messed up :)
>
> Nonsense. for non-malicious logins, sudo leaves as much as a trail as
> sshd which tells you which credentials were used to login.
With root logins, all you have on the client machine is the IP the
connection originated from. If people have to get in on their own
accounts, those accounts leave audit trails, on multiple systems.
More importantly, there is one root for all users---if one user needs to
be blocked (e.g. sysadmin quits), the only solution is to change the
root password everywhere. Individual accounts can be controlled
independently, especially in setups with centralized account management
like Kerberos/IPA.
>
>> - allows more granularity in granting elevated privileges across a
>> set of machines and admins
>
> Nothing in the current setup is preventing you from allowing non-root
> remote access. Blocking direct root access does not "allow more
> granularity".
> You already have all the granularity if you want to use it.
But if the single-password root is enabled, why would anyone use those
granular methods?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150112/51b817d5/attachment.html>
More information about the devel
mailing list