About sshd(8) PermitRootLogin=no

Simo Sorce simo at redhat.com
Wed Dec 17 18:25:20 UTC 2014


On Wed, 17 Dec 2014 16:05:43 +0000 (UTC)
P J P <pj.pandit at yahoo.co.in> wrote:

> > On Tuesday, 16 December 2014 10:57 PM, Simo Sorce wrote:
> > The thing need to be done during install, my servers boot
> > unattended.
> > 
> 
> > No the key-word here is "easily", which is misguided.
> > It is not *easy* to have to jump through hoops to get a KVM/spice
> > connection to log in through the console to then go and change an
> > option.
> > 
> > It is not easy and it is not automatable, so you break a ton of
> > deployment/qa/automation scripts people rely on.
>  
> 
>   Sure, I agree. I'm not sure how these VM images are created and
> deployed, but there must be some way to handle such cases,
> 
>   ex ->
> https://lists.fedoraproject.org/pipermail/devel/2014-November/204663.html

These are specific cases, the problem is not crippling the general case.

> As said before, intention is not to break things too rough and bother
> users. But to make things secure while keeping them usable. If they
> are not usable, what good is that security?

Exactly, removing root access by default is not usable.
You can make it easy to disable it after the fact, or you can have
detection mechanisms to see if there are other ways into the system.

But you have to work to implement them, not block access by default and
then go tell people there are workarounds.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York


More information about the security mailing list