On Wed, 21 Dec 2016, Michael Felt wrote:
The default behavior in some linux distributions is to disable login to root
regardless of where the user is coming. Having a way to set this, regardless
of the distro default I see as a big plus - HOWEVER, from an AIX viewpoint I
have a question/comment.
Within AIX (and maybe Linux, freebsd, et al) it is possible to distinguish
between login from a remote location (i.e., via network) or "local" - via
console or physical COM (rs232) port. I expect the cloud-init model is as I
have experienced (limited) Linux. Login is available/permited regardless of
"wherefrom", or it is denied - regardless.
What I would like to see (read, what I recommend) for root on AIX, is that by
default "remote" login is disabled, but "local" login is permitted. In other
words, login via a virtual console (via HMC or IVM) is permitted, otherwise -
not.
So, I would add an extra setting:
disable_root: false|true|remote
Currently, disable_root is only used in the cc_ssh.py, and only
actually affects remote logins (and even then, only those via ssh).
It does that through .ssh/authorized_keys.
