Posix Users and SSH

Thank you for you detailed informations. i understand, that the current Nethserver concept is to use an account provider and therefore not to provide a enlarged usage scenario of posix users/groups. I understand this decision, but i regret that in details.

I was wondering since my first Nethserver installation that the server-manager has not even the option to manage the while installation installed basic accounts. For a non-terminal-competent user this accounts are unusable and therefore forgotten and lost in fact - and this can be a serious security risk. In server-manager there is no option to remove/disable or give new passwords for such accounts.

By the way, there is also no option to change the “root” password in server-manager. In some cases the “Nethesis,1234” password could be deferred and less experienced user have no option to change it.

What if Nethserver is used for Services without an account provider? There are so many options / scenarios for using Nethserver without own or binding to an external account provider and most of them can be completely installed and managed within server-manager. But within server-manager there is no (non terminal) option to change the “maintenace” account (root) password or to create a second maintenace account (other posix admins with right for server-manager). Or i am blind.

In my opinion, there should maybe at least an option to change the root password from server-manager - like usual in any other webconfigs for routers/firewalls or others. Maybe on an other place as the user/groups panel. (on this place, there could be a posix account managing option without confusing the Nethserver like account managing)

In compatibility to CentOS the posix-user existence has to be considered anyway.

Regards
yummiweb

@yummiweb

Hi

Even if you have no need for an Account Provider, and maybe not even a need for a user besides root:

What’s stopping you from installing a simple LDAP “Account Provider”?

It’s there, and configured, but doesn’t block or stop you.
In german we also say “Frisst mir kein heu weg!”

BTW: The NethServer root does NOT use “Nethesis,1234” as a password, only the default Nextcloud admin uses that!

It’s a bit akin like on a current Windows 10 64 Bit machine and thinking: I’m on a 64 Bit OS and Box, I have no need for C:\Windows\System32, there’s a folder C:\Windows\System64 replacing that… So after removing the System32 folder, you “might” have major problems rebooting…

:slight_smile:

You could also try removing /etc/group and /etc/passwd and /etc/shadow on any linux / unix box, thinking I don’t need local users… You WILL have problems.

Same thing in NethServer, it’s there for a reason…

My 2 cents
Andy

You can change the root password both from the new and old Server Manager: http://docs.nethserver.org/en/v7/access.html#change-the-current-password
On the old one, you are even asked to do it during the first configuration wizard.
In the new one, you have a yellow warning which ask you to change the password.

For the new Server Manager you can change the password using System -> Settings

We have thousands of such installations, usually firewalls.
If you do not need users, just use root for anything.
If you need users, you can simply install the LDAP account provider and manage everything from the UI.

3 Likes

:smiley: I can’t wait to see your PR!

1 Like

Thats not correct.
Quote: “The default password in unattended mode is Nethesis,1234.”
I could quote some Nethserver Docs here, this is one of them:
https://nethserver.docs.nethesis.it/en/v7/installation.html#installation-unattended

"we say: “Kleinvieh macht auch Mist.”
Dont install services that you dont really need, because it increased the surface for bugs, attack and so Instead use the one you have. And i have the posix user system.

I think you totally misunderstood me.
In CentOS (and as i know in all other linux/unis systems) there is all over a posix user system. Thats a essential basement for so many things, services and programs. It wont go away that fast and it shouldnt. You can use it for simple work and I do that.

I dont expect that nethserver full support that. But it would be nice if it is not accidentally hindered.
So far I have been able to use it without any problems. But the last change has shown that there may be conflict potential now and in future. I wanted to point this out.

Regards yummiweb

You are absolutely right. I am sorry for that, i totally missed that. (I was obvious completely blind)

is it actually a good idea to “use root for anything”? In my world it is exactly the opposite.
If i need “users” (admins) for maintenace, i dont need to install anything, because we have a posix user system already here. And of course i could manage this from terminal as before if the UI has no possibility to do that. Until now this was no Problem. However, the last system change has shown that there may be conflict potential here*. I wanted to point this out and took this as an opportunity to address this.

  • In my case the update has locket out my posix admin from shell (bad situation if you far away). In other cases there was no problem after update.

If my arguments have not been understood up to this point, it probably makes no sense to go on.
I don’t want to appear here as a troublemaker. :frowning:

Regards
yummiweb

@yummiweb

Hi

I have never done an unattended install of NethServer, Thx, good to know.

And you’re also right: I didn’t really understand what you wanted…

If I don’t want/need the features of NethServer, I install a vanilla Centos or Debian…
Usually even, I won’t even use a VM for the duty intended, I’ll use a LXC (Linux Container).
Then I get just what I need, NO bloat!

As using Linux 30 years now, I DO know what a Posix User is, I call it a Linux or UN*X user mostly.

My 2 cents
Andy

But Nethserver has many features, and some of them (e.g., firewall, web server, database server) don’t depend on having a bunch of users (or any, really, beyond the default system users). But it’s pretty common security advice to disable root logins, so you’d need another user to allow you to log in. Is it worth installing an LDAP stack to support a single additional user?

1 Like

Me too, but i am know this from the documentations (yes, sometimes i read them).

I didnt know that and havent seen it yet, without unattended install this question maybe dint appear?

@danb35
hooray I was understood!
:slight_smile:
(maybe this time g***le translate helped)

Regards
yummiweb

A new prop implementation has come, I hope it can help @yummiweb


The RPM is now available from the testing repository! Do you want to try it? /cc @syntaxerrormmm @fuso

yum --enablerepo=nethserver-testing update nethserver-openssh
4 Likes

The RPM has been relased!

4 Likes

This topic was automatically closed after 6 days. New replies are no longer allowed.