Joakim Tjernlund wrote: > How is local root pw any different than domain pw? In your view remote > root access is a big nono so sssd should also enforce no remote root login in > that case.
Yes, remote root password is a big no-no. Because it would be effective on all systems at once circumventing most security mechanisms. I really appreciate sssd denying root completely. Most people concerned about security surely agree. If you personally don't like this important aspect of sssd just use something else. > You just said it: "best practice", not a law. In this context, sssd > dictates policy > and that is not sssd's call to make IMHO. You should encourage best > practice though. > One day we will get there but not today :) It seems you don't have proper operational processes on your side to handle incidents and lock out your users from doing something bad. Then you ask for a significant security relevant change in a widely used component. That sucks. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
