On Thu, 2019-05-23 at 12:13 -0500, Dennis Gilmore wrote:
> On Fri, May 17, 2019 at 7:24 AM Stephen Gallagher wrote:
> > On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
> > > https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
> > >
> > > == Summary ==
> > > The upstream
On Fri, May 17, 2019 at 7:24 AM Stephen Gallagher wrote:
>
> On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
> >
> > https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
> >
> > == Summary ==
> > The upstream OpenSSH disabled password logins for root back in 2015.
> > The
On 5/23/19 10:24 AM, stan via devel wrote:
On Mon, 20 May 2019 14:33:57 -0400
Przemek Klosowski via devel wrote:
Right, but it's just a stepping stone to a world with universal
authentication, and granular authorization based on credentials from
that universal authentication.
I hope that
On Mon, 20 May 2019 14:33:57 -0400
Przemek Klosowski via devel wrote:
> Right, but it's just a stepping stone to a world with universal
> authentication, and granular authorization based on credentials from
> that universal authentication.
I hope that world never arrives. That would be
On 5/20/19 12:19 PM, Kevin Fenzi wrote:
On 5/20/19 9:09 AM, Przemek Klosowski wrote:
On 5/17/19 4:34 PM, Kevin Fenzi wrote:
So, this is basically the old cloud-init makes a user that can sudo to
root thing. Can anyone explain in small words how this is more secure?
In a large system, it
On 5/20/19 9:09 AM, Przemek Klosowski wrote:
> On 5/17/19 4:34 PM, Kevin Fenzi wrote:
>> So, this is basically the old cloud-init makes a user that can sudo to
>> root thing. Can anyone explain in small words how this is more secure?
>
> In a large system, it allows granular revocation of access
On 5/17/19 4:34 PM, Kevin Fenzi wrote:
So, this is basically the old cloud-init makes a user that can sudo to
root thing. Can anyone explain in small words how this is more secure?
In a large system, it allows granular revocation of access (Joe Bow quit
and we disabled his account) and
On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi wrote:
>
> On 5/17/19 5:23 AM, Stephen Gallagher wrote:
>
> ...snip...
>
> > 3) Force Anaconda to require the creation of a non-root user that is a
> > member of the `wheel` group, so that this user can be used to SSH in
> > and administer the system.
On Fri, 2019-05-17 at 11:54 -0700, Kevin Fenzi wrote:
> On 5/17/19 11:34 AM, Stephen John Smoogen wrote:
> > On Fri, 17 May 2019 at 14:02, Chris Adams
> > wrote:
> ...snip...
> > > > Make it a predefined kickstart thing they can do so all they
> > > > have to do
> > > is
> > > > add a line in it
On Sun, May 19, 2019 at 3:28 PM Kevin Fenzi wrote:
>
> On 5/19/19 10:53 AM, Nico Kadel-Garcia wrote:
> > On Sun, May 19, 2019 at 12:14 PM Kevin Fenzi wrote:
> >> In cloud-init land, the user can set a password by using their "sudo"
> > privileges, and can set it for the "root" user and for the
On 5/19/19 10:53 AM, Nico Kadel-Garcia wrote:
> On Sun, May 19, 2019 at 12:14 PM Kevin Fenzi wrote:
>> In cloud-init land, the user can set a password by using their "sudo"
> privileges, and can set it for the "root" user and for the "ec2puser"
> or other cloud user. I don't think that Fedora
On Sun, May 19, 2019 at 12:14 PM Kevin Fenzi wrote:
>
> On 5/19/19 8:48 AM, Christopher wrote:
> > On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi wrote:
> >>
> >> On 5/17/19 5:23 AM, Stephen Gallagher wrote:
> >>
> >> ...snip...
> >>
> >>> 3) Force Anaconda to require the creation of a non-root
On 5/19/19 8:48 AM, Christopher wrote:
> On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi wrote:
>>
>> On 5/17/19 5:23 AM, Stephen Gallagher wrote:
>>
>> ...snip...
>>
>>> 3) Force Anaconda to require the creation of a non-root user that is a
>>> member of the `wheel` group, so that this user can be
On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi wrote:
>
> On 5/17/19 5:23 AM, Stephen Gallagher wrote:
>
> ...snip...
>
> > 3) Force Anaconda to require the creation of a non-root user that is a
> > member of the `wheel` group, so that this user can be used to SSH in
> > and administer the system.
Once upon a time, Stephen John Smoogen said:
> Look its Friday. I don't drink, I don't smoke, and I am trying to cut
> swearing. All that leaves me is a nice can of hyperbole.
:) Sorry, didn't mean to pick on you, though yeah, that's what it
sounded like.
I guess I'm in favor of this because
Once upon a time, Kevin Fenzi said:
> Some may notice this has already happened in Fedora 22:
>
> https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html?highlight=ssh#sshkey
Ahh, good to know. I admit, I mostly do kickstart installs on CentOS,
so I hadn't seen this. Guess I will
On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
>
> https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
>
> == Summary ==
> The upstream OpenSSH disabled password logins for root back in 2015.
> The Fedora should follow to keep security expectation and avoid users
> surprises
؛/ٍُِ
On Fri, May 17, 2019 at 10:35 PM Kevin Fenzi wrote:
> On 5/17/19 5:23 AM, Stephen Gallagher wrote:
>
> ...snip...
>
PLEASE I AM NOT SUBSCRIBING THIS THREAD AND ALL FEDORA ANYMORE IAM NOT IN
GSOC I DO NOT WANT THESE MAILS PLASE !!!
>
> > 3) Force Anaconda to
On 5/17/19 5:23 AM, Stephen Gallagher wrote:
...snip...
> 3) Force Anaconda to require the creation of a non-root user that is a
> member of the `wheel` group, so that this user can be used to SSH in
> and administer the system. Essentially, remove the root user creation
> spoke as an option
On 5/17/19 11:34 AM, Stephen John Smoogen wrote:
> On Fri, 17 May 2019 at 14:02, Chris Adams wrote:
...snip...
>>> Make it a predefined kickstart thing they can do so all they have to do
>> is
>>> add a line in it that says
>>>
>>> ssh_remote --user= --keyfile= --yesIwantrootandIknowitsbad
>>
>>
On Fri, 17 May 2019 at 14:02, Chris Adams wrote:
> Once upon a time, Stephen John Smoogen said:
> > So a lot of sites have set up that you remotely kickstart a system and
> then
> > ansible in as root with the rest of the configurations. It is the biggest
> > reason we have been keeping this as
On Fri, May 17, 2019 at 8:24 AM Stephen Gallagher wrote:
>
> On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
> >
> > https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
> >
> > == Summary ==
> > The upstream OpenSSH disabled password logins for root back in 2015.
> > The
Once upon a time, Stephen John Smoogen said:
> So a lot of sites have set up that you remotely kickstart a system and then
> ansible in as root with the rest of the configurations. It is the biggest
> reason we have been keeping this as active for a long time. You are
> breaking all those
If someone is remotely installing with kickstart on a non interactive way I
assume they have enough knownledge to modify that ks to either add a pubkey
to root or modify sshd_config
Anyhow yeah, would be great to help making this easy with a ks default, or
macros
Stephen John Smoogen igorleak
On Fri, 17 May 2019 at 10:41, Julen Landa Alustiza
wrote:
> We are not disabling root access entirely, you can log on local console or
> use su after loging with a normal user.
>
>
So a lot of sites have set up that you remotely kickstart a system and then
ansible in as root with the rest of the
Sorry, I'm in mobile and I miss send the draft :S
I'm not sure if it's clear: we don't really need so many constraints on
anaconda. (active root with pass and regular user) or regular user on wheel
group would be enough to elevate privileges on a just installed box remotely
Julen Landa Alustiza
We are not disabling root access entirely, you can log on local console or
use su after loging with a normal user.
After installing server without the proposed changes (that could be great,
but not needed) you can log in with the normal user and use su to scalate
privileges and either change
On Fri, May 17, 2019 at 8:37 AM Martin Kolman wrote:
>
> On Fri, 2019-05-17 at 08:23 -0400, Stephen Gallagher wrote:
> > 3) Force Anaconda to require the creation of a non-root user that is a
> > member of the `wheel` group, so that this user can be used to SSH in
> > and administer the system.
On Fri, May 17, 2019 at 9:09 AM Mauricio Tavares wrote:
>
> On Fri, May 17, 2019 at 8:24 AM Stephen Gallagher wrote:
> > 3) Force Anaconda to require the creation of a non-root user that is a
> > member of the `wheel` group, so that this user can be used to SSH in
> > and administer the system.
On Fri, May 17, 2019 at 8:24 AM Stephen Gallagher wrote:
>
> On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
> >
> > https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
> >
> > == Summary ==
> > The upstream OpenSSH disabled password logins for root back in 2015.
> > The
On Fri, 2019-05-17 at 08:23 -0400, Stephen Gallagher wrote:
> On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
> > https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
> >
> > == Summary ==
> > The upstream OpenSSH disabled password logins for root back in 2015.
> > The Fedora
On Thu, May 16, 2019 at 2:54 PM Ben Cotton wrote:
>
> https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
>
> == Summary ==
> The upstream OpenSSH disabled password logins for root back in 2015.
> The Fedora should follow to keep security expectation and avoid users
> surprises
On 16/05/19 14:53 -0400, Ben Cotton wrote:
https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
== Summary ==
The upstream OpenSSH disabled password logins for root back in 2015.
The Fedora should follow to keep security expectation and avoid users
surprises with this
https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
== Summary ==
The upstream OpenSSH disabled password logins for root back in 2015.
The Fedora should follow to keep security expectation and avoid users
surprises with this configuration.
== Owner ==
* Name: [[User:jjelen|
https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
== Summary ==
The upstream OpenSSH disabled password logins for root back in 2015.
The Fedora should follow to keep security expectation and avoid users
surprises with this configuration.
== Owner ==
* Name: [[User:jjelen|
35 matches
Mail list logo
