Hello Daniel, Daniel. [2019-01-10 23:26 -0200]: > I just installed cockpit in a server that I have access exclusively with > ssh keys, my surprise is that the user hasn't a password and installing > cockpit make possible to login without password opening a breach.
*Never* have users with an empty password (i. e. no password)! As you see, this will allow anyone else to log into the system as that user, via cockpit or su. Just disabling one avenue of login (e. g. by disabling password authentication in sshd_config) leaves too many other holes open. Note that cockpit is doing nothing special, /etc/pam.d/cockpit just includes the common "password-auth" PAM module. The proper way to configure such user accounts is to not have a valid empty password, but a locked one: sudo passwd --lock thatuser Martin _______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
