On Thu, 2015-01-08 at 13:52 -0500, Miloslav Trmač wrote:
> > > The only other approach I could see for the headless
> > >
servers would be mandating the enrollment in an identity domain at > >
> installation time (such as to FreeIPA or Active Directory). > > > >
And in this scenario we should absolutely disable PermitRootLogin. > >
So that if you have issues with the connector, you have to reboot the >
machine and be physically present to fix anything. > > Not really a
grand plan IMO.
Earlier in the discussions I was told that this is not really an issue:
in production, about every server with remote access also has a KVM.
Mirek
I don't think that's necessarily true. I've seen plenty of sites where
they have a literal, physical "crash cart" they have to wheel out to
plug in when remote access is broken.