About sshd(8) PermitRootLogin=no
Kurt Seifried
kseifried at redhat.com
Wed Dec 3 16:07:09 UTC 2014
On 02/12/14 07:28 AM, Tristan Santore wrote:
> I would just like to make sure, that new users are aware of what we are
> doing. We already have password quality controls and warnings in
> anaconda. If we go along the path of root user+password and then the
> need for a user login first to then sudo or su to root, I think we
> should dump a warning or notification in anaconda. Further, this does
> not appear to address the issue of remote installs via vnc/spice. I am
> not sure about the latest VNC and Spice, but do they now encrypt traffic
> ? I never looked into VNC changes in Tigervnc again, but I am aware it
> supports extensions to that effect. Are these default though in
> anaconda's VNC implementation, does it throw people out if they do not
> use encryption or does it allow non-secure fallback ?
More to the point, who cares in that situation, many cloud providers use
the VNC terminal to provide "console" access which is then provided via
HTTPS to the end user (so the only unencrypted part is from your VM to
the host server, in other words if an attacker can sniff that they own
the box).
I, along with many cloud people, would be highly annoyed to have the
root account disabled by default. But the times are a changing so maybe
it's not such a terrible thing.
> Just a few thoughts on my part.
>
> Regards,
>
> Tristan
>
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20141203/dbb3ce71/attachment.sig>
More information about the security
mailing list