[CentOS-devel] password ssh-ing in Centos/7 Vagrant box

Mon Oct 10 13:51:38 UTC 2016
Laurentiu Pancescu <lpancescu at gmail.com>

On 10/10/16 14:08, Michael Vermaes wrote:
> On Sat, Oct 8, 2016 at 4:22 PM, Laurentiu Pancescu <lpancescu at gmail.com> wrote:

> Do you mind letting us know how the configuration would be fixed to
> address this? For what it's worth, in my opinion it would be more
> surprising for this behaviour to change. I think a Vagrant box is
> assumed to be a 'disposable', single user environment as you
> mentioned. Things like the well known insecure passwords and ssh key
> contribute to a standard Vagrant experience across boxes from
> different distributions.

The images would still follow the upstream recommendations, I have no 
intention of changing the default SSH key or password.  In my local 
implementation:

- vagrant and root can use su and sudo without limitations (no change)
- other users can't use sudo... (no change)
- ...but can still su to any accounts except root or vagrant

This matches the sudo configuration pretty closely.  An alternative 
would be to add vagrant to the wheel group, and allow anyone in the 
wheel group to use su (with password) or sudo (without password).  You 
could add your own users to the wheel group if you wanted to, but it 
would be a conscientious decision to give someone admin privileges, 
rather than the default when calling useradd.  If you didn't create 
additional users, you wouldn't be affected in either scenario.

The intention is just to prevent beginners from shooting themselves in 
the foot when sharing a box with a public IP.  I'm open to arguments for 
either solution, as well as other alternatives.

Laurențiu