Hello, I see more viable to resurrect a bug #89216 [1] and change a default configuration (not only in fedora server) to
PermitRootLogin no
or at least prohibit-password. It can at least nudge for using better workflows using sudo.
I did not have an energy to persuade this change during last years, especially because there used to be such a huge pushback in the past.
If you wish to help me in this way, I would strongly appreciate this change in OpenSSH.
SSH agent forwarding can be indeed dangerous, but only if the server was already compromised (by running outdated system with privilege escalation vulnerabilities).
Regards, Jakub
[1] https://bugzilla.redhat.com/show_bug.cgi?id=89216
On Fri, 2019-04-12 at 13:33 -0600, Chris Murphy wrote:
Hi,
I ran into this "fun" hack https://news.ycombinator.com/item?id=19642554 and I'm wondering whether it'd be a good idea for F31 to ship with:
#AllowAgentForwarding no #PasswordAuthentication no
Cockpit provides an interface to add SSH public keys for a while now. However the installer doesn't require creation of an admin user, it's an option.
Related to that, I'd like to see the installer: a. Require creation of a non-root user with "Make this user administrator" checked by default b. Root user has "Lock root account" checked by default
When I check "lock root account" and return to the installation overview, it shows for root user that logins are disabled, so it's not like the person doing the install has to go dig around for the fact root user will be disabled. And they can easily uncheck it and set a password.
Any thoughts?
-- Chris Murphy _______________________________________________ server mailing list -- server@lists.fedoraproject.org To unsubscribe send an email to server-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org