Joakim Tjernlund wrote:
> How is local root pw any different than domain pw? In your view remote 
> root access is a big nono so sssd should also enforce no remote root login in 
> that case.

Yes, remote root password is a big no-no. Because it would be effective on all
systems at once circumventing most security mechanisms.

I really appreciate sssd denying root completely. Most people concerned about
security surely agree.

If you personally don't like this important aspect of sssd just use something
else.

> You just said it: "best practice", not a law. In this context, sssd 
> dictates policy
> and that is not sssd's call to make IMHO. You should encourage best 
> practice though.
> One day we will get there but not today :) 

It seems you don't have proper operational processes on your side to handle
incidents and lock out your users from doing something bad. Then you ask for a
significant security relevant change in a widely used component. That sucks.

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to