able to login as root via ssh :-(

Joel Rees joel_rees at sannet.ne.jp
Wed Aug 9 09:18:08 UTC 2006


> The issue if I recall correctly was that if you did a network install
> there was no user account initially that could be used to log into the
> remote system once the initial install had completed.  So the admin
> needed access as the root user to do the initial setup.  That should
> include creating a user account.  Once that user account is created  
> the
> admin would use that account, disable root access, and use su or  
> sudo to
> admin the box after first logging in as that user.
>
> It is a matter of getting the base level OS in place and having a
> relatively secure box in the process that will allow the admin to get
> access and apply patches and install required packages.
>
> This issue only applies to those admins that perform network installs
> and don't access the main console (headless systems) during the  
> install
> process.  Could probably be considered a corner case but I think  
> enough
> people do this that disabling root access to ssh by default would  
> cause
> a major outcry.

On some OSses, remote installation is a standard practice.

IIRC, the typical technique for remote installing involved dropping  
out of the install script to the installer's mini shell and editing  
appropriate stuff before rebooting. This kind of remote install does  
require someone with physical access to the box to do something like  
insert the install CD and power up, of course. 8-|

My memory may be glossing over something here. It's been a few months  
since I monitored those MLs.

Anyway, RH/FC doesn't forget the root password set during install  
when you boot the first time in current versions, so if you choose an  
initial root password that is sufficiently hard (12 or more random  
characters is still pretty good at this point) it should survive port  
knocking long enough to ssh in, edit configs appropriately, and  
restart whatever services might need restarting (in the worst case of  
having to install from net without a firewall in the router).

I should note that the assumptions which led to advising against  
logging in as root are no longer considered as valid as they once were.




More information about the fedora-list mailing list