On 5/19/19 10:53 AM, Nico Kadel-Garcia wrote: > On Sun, May 19, 2019 at 12:14 PM Kevin Fenzi <ke...@scrye.com> wrote: >> In cloud-init land, the user can set a password by using their "sudo" > privileges, and can set it for the "root" user and for the "ec2puser" > or other cloud user. I don't think that Fedora should try to outsmart > all the different use cased cases for cloud deployment by selecting > sshd_config.
Sure, I wasn't suggesting we change the cloud case by messing with sshd_config. I was suggesting we stop making a 'fedora' non-root user, but I guess I should just go back to grumbling and repoint the thread to the topic at hand. > ...snip... >> As noted, the cloud-init case has no passwords, only keys. > > You forgot "ec2puser". let me rephrase: By default out of the box, our Fedora Cloud images have no passwords, only keys for access. You can of course change this after the fact in any number of ways. >> If I am using ssh keys, I don't care about people trying to brute force >> passwords. Forcing the root account closed and having to use a 'user' >> account to login and sudo just seems like a pointless hoop. > > It provides tracking of which user's credentials have been abused. No it does not. Once the abuser logs in and does sudo to root, all local tracking is now useless and suspect. The abuser can erase/tamper/change any logs you might look at later. By default there's no remote logging or the like in Fedora Cloud. >> root account with key -> login as root with key >> user account with key / root locked -> login as user, sudo >> >> Thats another shell running, another sudo process, etc. > > Yes, and for precisely the reasons above. Which reasons? I'm afraid I still don't see anything compelling. Anyhow, sorry for hyjacking the thread away from the topic to cloud-init. :( I'll stop now. :) kevin
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
