On Fri, 17 May 2019 at 14:02, Chris Adams <li...@cmadams.net> wrote: > Once upon a time, Stephen John Smoogen <smo...@gmail.com> said: > > So a lot of sites have set up that you remotely kickstart a system and > then > > ansible in as root with the rest of the configurations. It is the biggest > > reason we have been keeping this as active for a long time. You are > > breaking all those configs with a 'oh you can just login on a local > > console'. That kickstart may not have any of that.. and the last thing a > > sysadmin wants when they are building 4000 nodes somewhere is find out > that > > they need to add another 20 steps to their post.. > > Well, I'd assume before building 4000 nodes, they'd test the kickstart > (I test mine extensively on VMs before using on a real box). It isn't > "another 20 steps" - either a sed one-liner to allow root or a mkdir and > a echo to add an SSH key (which you'd probably do anyway if you're doing > the rest with Ansible). > > Look its Friday. I don't drink, I don't smoke, and I am trying to cut swearing. All that leaves me is a nice can of hyperbole.
You are right, 1-4 lines is what might be needed to do things. > > Make it a predefined kickstart thing they can do so all they have to do > is > > add a line in it that says > > > > ssh_remote --user=<account> --keyfile=<url> --yesIwantrootandIknowitsbad > > If this is the desired path, I'd go with a couple of additional > arguments to existing directives: > > --enablerootssh (for rootpw or maybe auth?) > --sshkey (for both rootpw and user directives) > > Yeah.. --sshkey is a better name than --keyfile and --enablerootssh is better than --yesIwantrootandIknowitsbad > No matter if this proposal is done, having an --sshkey option would be > nice, especially for Ansible use. > > I think this OpenSSH change to follow upstream (and many other OS) > config is a good and overdue thing. > I am not disagreeing... but having been the person to do such security changes in the past.. it usually pisses of the people deploying the software enough to jump to something completely different. It always gets taken as 'You are more worried about security than usability' and a general feeling of disrespect to the sysadmins stuck with coming up with the change have 0 time to actually do that work. After 30+ years of being a security jerk.. I am just trying to say 'look people we can do better. if someone needs to get this done.. we should at least make it easier for them to do so in way that is clear to an auditor later.' [Ah there goes another can of hyperbole.. ] > -- > Chris Adams <li...@cmadams.net> > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Stephen J Smoogen.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
