About sshd(8) PermitRootLogin=no
Hubert Kario
hkario at redhat.com
Thu Dec 4 13:50:17 UTC 2014
On Wednesday 03 December 2014 09:07:09 Kurt Seifried wrote:
> On 02/12/14 07:28 AM, Tristan Santore wrote:
> > I would just like to make sure, that new users are aware of what we are
> > doing. We already have password quality controls and warnings in
> > anaconda. If we go along the path of root user+password and then the
> > need for a user login first to then sudo or su to root, I think we
> > should dump a warning or notification in anaconda. Further, this does
> > not appear to address the issue of remote installs via vnc/spice. I am
> > not sure about the latest VNC and Spice, but do they now encrypt traffic
> > ? I never looked into VNC changes in Tigervnc again, but I am aware it
> > supports extensions to that effect. Are these default though in
> > anaconda's VNC implementation, does it throw people out if they do not
> > use encryption or does it allow non-secure fallback ?
>
> More to the point, who cares in that situation, many cloud providers use
> the VNC terminal to provide "console" access which is then provided via
> HTTPS to the end user (so the only unencrypted part is from your VM to
> the host server, in other words if an attacker can sniff that they own
> the box).
>
> I, along with many cloud people, would be highly annoyed to have the
> root account disabled by default. But the times are a changing so maybe
> it's not such a terrible thing.
Well, as long as the cloud provider allows you to setup SSH keys and
automatically installs them on any host you provision, I'd say it makes the
configuration easier to manage and safer: *better* in all ways.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list