F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Wed Jan 14 17:55:33 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 14 Jan 2015 12:34:22 -0500 (EST)
Miloslav Trmač <mitr at redhat.com> wrote:

> > On Wed, 14 Jan 2015 16:54:09 +0000 (UTC)
> > P J P <pj.pandit at yahoo.co.in> wrote:
> > > > On Wednesday, 14 January 2015 8:01 PM, Simo Sorce wrote:
> > > > Ok, I state my opposition to without-password too inequivocably
> > > > here. Mostly because it is just the same as 'no', given there
> > > > is no way, in a regular install to seed a key into the root
> > > > account.
> > > > 
> > > > Except you have no mechanism to inject a key at installation
> > > > time,
> > > 
> > >    Sure. Could you please elaborate how would you like this key
> > > to be injected into the 'root' account? Feature page does have a
> > > listed workflow change:
> > > 
> > >   "Anaconda installer OR maybe OpenSSH package needs to create
> > >    initial set of authentication keys for 'root' user."
> 
> That’s not how, to my knowledge, ssh keys are usually deployed; there
> is one private key per user (or, for the paranoid, one private key
> per client machine / user’s home directory), not one private key per
> the server one is connecting to.  And creating a key does not really
> solve the problem: how do the administrators get the key so that they
> can connect?
> 
> 
> > > I'd request all(those who are opposing) too describe their
> > > requirements in the etherpad page above.
> > 
> > Being able to authenticate as root right after installation would be
> > the requirement for me.
> 
> Let’s be precise here; “able to authenticate as root” is an
> implementation detail; the underlying requirement is something else.
> “Able to set up IPA”?  “Able to run administrative commands in
> shell?” (e.g. we could just, as a part of firstboot, open a root
> shell without any authentication ☺ ). Mirek

except that will not work when you do not have access to a console and
only have ssh access

Dennis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUtq2ZAAoJEH7ltONmPFDRzqsQAI59frCILBqB6zUWedryB5yp
378Wakimicon8HAHuUEqZb334246k4U3/d4FPaspGiqKtqSf2w1Y2nixFNdxGqor
mH5oyoToddasptFS2okRGh8IaPnZiBNXPVZ6emKrjeL+ln2DMsfSCPA9NN15AO/I
KllQ4j3YhDVm4qmL9a25pcNcPjUlIi1C6amR19eOkG7+788+7pMQ0yzcDcn3ow3O
F8u+j5bwPdPfwL/sEe6ZyGNgfHJEx+wtYCQjXMCQp3VkYHMkqHwkjR/q63l5TMtb
5SIFwzP6wmAaLvU3Nz4jEu8GWNQwm86cYIiEj1cRSN9muKffoIuJopKM1fchbveh
VuPH+FjZhvWShvN5tddaunOkGN2WtFJp8rgnWeVtT/09H+PbkzT3pigZt2OElnD/
49DWLork4uLOSuVPQvqMjMMsUbg1SLv9tB6AA45gtkEgkg+X256MdHUVK49HfOXS
ogCfgx7CfCPCd6cOEHx+exK3Xg9JlxqboIklR1pFyDLcyQUDkXaV0wrXq23hhrci
kLUpZ7yYTZwvHgKrQfQ99ael5alAHyCb/ZvWyAZyAoMeoJQKZoyCvNI5BWsVoGPQ
Ir1Z/nEGz2T/RbbpVrLvH5VzwkWY0hZyCEUwa+Wrh/LfyFBjxN6YM+YTdoPSI4Et
cifUPiu3gJqlrMnOJvyt
=nj7u
-----END PGP SIGNATURE-----