Hi Nico,

You and I completely agree that unexpected discrepancies often cause problems, break workflows, and make people hate security changes. I've been a Debian developer for over 13 years and a UNIX sysadmin for longer than that. There are many cases where I've made arguments similar to yours inside Google, sometimes even mentioning "knife ssh" itself (yes I've used Chef), and we're more compatible with customers' non-GCE automation because of such arguments.

Despite all of that, adding this account management daemon in GCE makes sense, as do the other carefully chosen integration bits we add. Our account daemon can certainly be disabled without harm (e.g. via systemctl in CentOS 7), doesn't interfere with UNIX ways of working, and doesn't dictate what we do about the root account. It's even careful not to remove keys which were added separately by users, distinguishing carefully via comment lines. All of the software we add is of course free and open source software, typically under the Apache License 2.0, and also typically human-readable Python, shell, systemd unit files, or the like. Some of our software is even packaged in RPMs (built via a hacky internal process); we do plan to reach out to coordinate proper RPM packaging and integration into a suitable CentOS repository.

Regarding your specific concerns about root's passwd data, we don't change that. I forget whether we change CentOS's root SSH login setting; we do change a few other things like disabling password SSH auth and putting in some connection keepalive settings, but it's quite close to stock config. We try to keep our deviations justifiable, and if you think any are not, we'd like to hear about them. :) As one example justification, the SSH connection keepalive is because TCP connections that remain idle too many minutes will get dropped by the GCE firewall.

- Jimmy

We aren't changing root's passwd data.

On Mon, Jul 14, 2014 at 6:44 PM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:

On Mon, Jul 14, 2014 at 12:14 PM, Jimmy Kaplowitz <jkaplowitz@google.com> wrote:
> As further data points, Debian on AWS EC2 uses the 'admin' username, and all
> Google-supported images on Google Compute Engine (including CentOS) don't
> have a default account at all, but rather use integrated SSH key management
> via our metadata server and an open source daemon we install into the guest.

But you're not changing root's uid, gid, shell, home directory, or
group memberships, right? It's all fun and games until someone
touches old tools that have worked consistently for more than a decade
with an unexpected discrepancy between UNIX historical settings, and
someone's untested "security enhancement". It's the sort of thing that
makes people hate security changes.

Blocking direct login access by locking the password and/or blocking
SSH root access are all understandable, but should *not* be changed
from upstream's defaults without considerable thought. They *will*
break procedures that are applied to both systems, especially those
that rely on remote SSH key or direct root privileges such as the
"knife ssh" command from chef and other SSH based multiple-target
tools.

Having to pipe the commands through some kind of sudo adds complexity.
Don't get me wrong, I agree that in most cases it can and should be
turned off for security reasons. But changing the defaults is going to
burn sys-admin's very valuable time. Is it worth the security
enhancement to make their lives more difficult?

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel