> Or simply have a page asking the user whether or not to enable ssh? I > can't recall off the top of my head, but I believe there is a screen > where you ask if you want the firewall enabled, right? Why not have a > very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks > it off, set the firewall to allow ssh and turn ssh on. If the user does > _not_ check it off (aka they are sitting back and saying "what is this > ssh thing they speak of?") then have the firewall block port 22 and > chkconfig ssh off.
Isn't that only part of the solution? Why would we ever need to have PermitRootLogin to true? My memory is a little rusty but I'm pretty sure the install forces the creation of a user account. I've never done a headless install so I know nothing about how that works. However, we shouldn't let a minority of installations compromise the security of the majority. As someone has already pointed out, can't they have a different spin to allow whatever they might need? Are there any other services that are listening by default and allowed through the firewall? I believe there should be none of either. However, I have been called paranoid in the past. :) --- Will Y> -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- security mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/security
