← Back to team overview

cloud-init team mailing list archive

Re: Questions as I read: disable_root

 

On Wed, 21 Dec 2016, Michael Felt wrote:

> The default behavior in some linux distributions is to disable login to root
> regardless of where the user is coming. Having a way to set this, regardless
> of the distro default I see as a big plus - HOWEVER, from an AIX viewpoint I
> have a question/comment.
>
> Within AIX (and maybe Linux, freebsd, et al) it is possible to distinguish
> between login from a remote location (i.e., via network) or "local" - via
> console or physical COM (rs232) port. I expect the cloud-init model is as I
> have experienced (limited) Linux. Login is available/permited regardless of
> "wherefrom", or it is denied - regardless.
>
> What I would like to see (read, what I recommend) for root on AIX, is that by
> default "remote" login is disabled, but "local" login is permitted. In other
> words, login via a virtual console (via HMC or IVM) is permitted, otherwise -
> not.
>
> So, I would add an extra setting:
>
> disable_root: false|true|remote

Currently, disable_root is only used in the cc_ssh.py, and only
actually affects remote logins (and even then, only those via ssh).

It does that through .ssh/authorized_keys.

> and the default is true for cloud-init (aix distro would change it's value to
> remote).

So, assuming you have a password configured, thats' what you'd get right
now for the limited set of remote logins of 'ssh'.


Follow ups

References