Server/Polish Ideas

From FedoraProject

< Server(Difference between revisions)
Jump to: navigation, search
m
m
Line 57: Line 57:
  
 
(from https://lists.fedoraproject.org/pipermail/server/2014-February/000754.html)
 
(from https://lists.fedoraproject.org/pipermail/server/2014-February/000754.html)
 +
 +
= 3. SSH key handling =
 +
 +
FreeIPA / OpenLMI integration so root doesn't need a password so when ssh into box on a fresh install you don't need to use passwords can use your SSH key.

Revision as of 17:04, 25 February 2014

1. System Identification

When you ssh into people.fedoraproject.org, you get some information including this bit:

Security Category: Low Primary Contact: Fedora Admins - admin@fedoraproject.org Purpose: Provide hosting space for Fedora contributors and Fedora Planet


This comes from http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/#HostGeneralSecurity-System-Identification

That's pretty neat. A lot of big organizations may have policies and a system like that, but it strikes me as something that would be neat to integrate into Fedora Server by default.

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000737.html)


To be honest I think it is a terrible idea to drop this information into an /etc file, because it would be a maintenance burden with the very plausible outcome of being a source of confusion.

This kind of information is normally held into a centralized catalog for obvious reasons, if you have that many systems that you need to write this down, you have to many to consult them one by one anyway, you need a central place where you can report on this stuff.

And you do not want to have to create services to synchronize this information locally. It is just useless busy work. But once the file exist you have to do it because otherwise people can get confused (or worse, programs can misbehave) if the information in the local file is wrong.

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000779.html)

2. Network Configuration

"You might install NetworkManager-config-server, which drops some server-type config files into /etc/NetworkManager/conf.d that do things like ignoring the carrier on all interfaces and ensuring NM never creates the default DHCP connections that are useful on desktops. There are other options in there, like making NM stop touching /etc/resolv.conf if you know you never need to update it. See "man NetworkManager.conf" for more details on all these options."

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000753.html )

Very much so. This is something Dan and I talked about at DevConf, actually. One of the things we'd probably want to do in each of the various Products is break out our default configurations into a subpackage that be pulled in by the respective Product release package as a way to install differing defaults. NetworkManager was the poster-child for this idea, though I expect there are plenty of other services that could benefit from this as well.

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000754.html)

3. SSH key handling

FreeIPA / OpenLMI integration so root doesn't need a password so when ssh into box on a fresh install you don't need to use passwords can use your SSH key.