[Libosinfo] [PATCH] fedora,script: Allow passwordless SSH
Daniel P. Berrange
berrange at redhat.com
Fri Apr 22 12:28:29 UTC 2016
On Fri, Apr 22, 2016 at 01:17:24PM +0100, Zeeshan Ali (Khattak) wrote:
> HI Daniel,
>
> On Fri, Apr 22, 2016 at 1:00 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> > On Fri, Apr 22, 2016 at 12:58:40PM +0100, Zeeshan Ali (Khattak) wrote:
> >> If either user or admin accounts are passwordless, configure SSH server
> >> to allow empty passwords so these accounts can login through SSH.
> >> ---
> >> .../fedoraproject.org/fedora-kickstart-desktop.xml.in | 6 ++++++
> >> 1 file changed, 6 insertions(+)
> >
> > Do we really want todo this. IMHO apps should be enforcing a
> > non-zero length password for the accounts created by install
> > scripts. Configuring password-less ssh is madness given the
> > modern hostile network environments, even on intranets.
>
> Well without this patch, there is no way of SSHing into the guest if
> user/app chooses to have no password. Currently that is the default in
> Boxes but maybe Boxes should warn about it being unsecure but I think
> if user want passwordless machine, that is precisely what they should
> get.
IMHO it is irresponsible to configure VMs to allow network based
access with zero authentication. The only valid case where I can
see having no password is if you have instead injected an SSH
public key to allow key based login access. So rather than this
patch to modify the SSH server to turn off all auth, how about
adding config parameter to associate an SSH public key with
the user account.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Libosinfo
mailing list