Hello Simo,
On Wednesday, 14 January 2015 2:29 AM, Simo Sorce wrote:
Sorry this is false. You got enough emails telling you this
change is undesirable, that's the definition of opposition
and means you have no _consensus_.
IIUC, that was for disabling remote root access completely with
'PermitRootLogin=no'.
As the 'PermitRootLoing=without-password' option seems more preferred. As for the
emails,
many folks have also said that it is a useful change.
IMO, the ones opposing are those who fear their current setups/practices would break.
Because they need remote 'root' access in their set-up. Which is a genuine
use-case.
And to support it, we could provide an option to enable remote root access with
'PermitRootLogin=Yes', based on the the user's response to Anaconda at install
time,
as was suggested in previous email. However, let's not assume _all_ Fedora users have
this use-case.
- IMHO, the change helps to harden Fedora systems and raise the security bar
a notch higher. It is similar to how we run services as non-root user instead
of 'root' user.
- The proposed change of using ssh keys for remote 'root' access introduces
that mechanism to a wider audience, which in turn would help increase its
usage in the future. Hence bring more value in the long term.
- IMO, it is beneficial to supply hardened default configurations, because
they protect maximum users and have greater impact, than otherwise. Security
is not a feature, it must be available by default.
- Of course that does not mean we overlook the usability aspect. As said before
intention is _not_ to trouble users, but increase their safety as much as we can.
Thank you.
---
Regards
-Prasad
http://feedmug.com