On Wed, 14 Jan 2015 16:54:09 +0000 (UTC)
P J P <pj.pandit(a)yahoo.co.in> wrote:
> > On Wednesday, 14 January 2015 8:01 PM, Simo Sorce wrote:
> > Ok, I state my opposition to without-password too inequivocably
> > here. Mostly because it is just the same as 'no', given there is no
> > way, in a regular install to seed a key into the root account.
> >
> > Except you have no mechanism to inject a key at installation time,
>
> Sure. Could you please elaborate how would you like this key to be
> injected into the 'root' account? Feature page does have a listed
> workflow change:
>
> "Anaconda installer OR maybe OpenSSH package needs to create
> initial set of authentication keys for 'root' user."
That’s not how, to my knowledge, ssh keys are usually deployed; there is one private key
per user (or, for the paranoid, one private key per client machine / user’s home
directory), not one private key per the server one is connecting to. And creating a key
does not really solve the problem: how do the administrators get the key so that they can
connect?
> I'd request all(those who are opposing) too describe their
> requirements in the etherpad page above.
Being able to authenticate as root right after installation would be
the requirement for me.
Let’s be precise here; “able to authenticate as root” is an implementation detail; the
underlying requirement is something else. “Able to set up IPA”? “Able to run
administrative commands in shell?” (e.g. we could just, as a part of firstboot, open a
root shell without any authentication ☺ ).
Mirek