Default user decisions
On Thu, May 01, 2008 at 09:48:45AM -0400, John Reese wrote:
> Marco Amadori wrote:
> > Alle Sunday 27 April 2008, Daniel Baumann ha scritto:
> >> The only other live system I know remotely, uses username 'ubuntu' and
> >> no password.
> >> That made me curious what others think. So, what do *you* guys think?
> >> Should it be left as is? Or do you have other preferences? How do other
> >> live systems do it?
> > ssh wise, Ubuntu's choice is more secure, because it disallows ssh logins if
> > the local console user did not provide a new password.
> > I think that using a NULL password like ubuntu do and providing both an
> > interactive way to change it and a boot parameter could be the way I would
> > like to have the user password managed.
> > That way we could have a more secure default image approach, a secure personal
> > use approach and the ability to set a password easely at build time.
> I have to agree with this. I really like the Ubuntu approach to
> securing the root/default users, and I'd like to put my support behind
> making this behavior the preferred method.
A user has to install ssh explicitly, anyway.
But what happens when that "secure" user installs a service that doesn't
care about empty passwords?
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir