cloud-init team mailing list archive
Mailing list archive
Re: Questions as I read: disable_root
On 09/01/2017 19:38, Scott Moser wrote:
Surprise! - I would have expected it to be arranged via sshd_config.
I'll read up in cc_ssh.py.
FYI: AIX has user attributes: login and rlogin (which are generally
ignored by openssh). login is the attribute to control long via a
"physical" port (read/think /dev/tty00, /dev/console) and rlogin for
"any other" path (think "telnet", better IP based connections through
On Wed, 21 Dec 2016, Michael Felt wrote:
The default behavior in some linux distributions is to disable login to root
regardless of where the user is coming. Having a way to set this, regardless
of the distro default I see as a big plus - HOWEVER, from an AIX viewpoint I
have a question/comment.
Within AIX (and maybe Linux, freebsd, et al) it is possible to distinguish
between login from a remote location (i.e., via network) or "local" - via
console or physical COM (rs232) port. I expect the cloud-init model is as I
have experienced (limited) Linux. Login is available/permited regardless of
"wherefrom", or it is denied - regardless.
What I would like to see (read, what I recommend) for root on AIX, is that by
default "remote" login is disabled, but "local" login is permitted. In other
words, login via a virtual console (via HMC or IVM) is permitted, otherwise -
So, I would add an extra setting:
Currently, disable_root is only used in the cc_ssh.py, and only
actually affects remote logins (and even then, only those via ssh).
It does that through .ssh/authorized_keys.
Further, I noticed that linux distro versions differ in whether root
login is permitted, or not. e.g., Debian wheezy permitted root login,
and debian jessie does not. I was thinking that "disable_root" was
working more in this sense, than in an "ssh" config setting.
Crossed signals: time to read.
and the default is true for cloud-init (aix distro would change it's value to
So, assuming you have a password configured, thats' what you'd get right
now for the limited set of remote logins of 'ssh'.