F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Mike Pinkerton
pselists at mindspring.com
Wed Jan 14 19:21:26 UTC 2015
On 14 Jan 2015, at 12:34, Miloslav Trmač wrote:
>>> I'd request all(those who are opposing) too describe their
>>> requirements in the etherpad page above.
>>
>> Being able to authenticate as root right after installation would be
>> the requirement for me.
>
> Let’s be precise here; “able to authenticate as root” is an
> implementation detail; the underlying requirement is something
> else. “Able to set up IPA”? “Able to run administrative
> commands in shell?” (e.g. we could just, as a part of firstboot,
> open a root shell without any authentication
It seems that the boxes affected by this proposal are either
"product=server" or "product=nonproduct". For servers, immediately
after installing, I log in as root and run a set-up or configuration
script which, among other things, sets the box to a non-graphical
target and prevents firstboot from ever running. I'm not sure why
one would run firstboot on a server.
I also do something similar and prevent firstboot from running on
boxes set up as general desktops for office workers, etc., as I don't
want the first random user who logs into a box to be able to become
part of the wheel group and have access to sudo.
As far as I can see, firstboot is only useful on one's personal box.
--
Mike Pinkerton
More information about the devel
mailing list