@jaredbusch said in sudo problems:

@pete-s said in sudo problems:

@jaredbusch said in sudo problems:

@scottalanmiller said in sudo problems:

@jaredbusch said in sudo problems:

@scottalanmiller said in sudo problems:

@pete-s said in sudo problems:

We want to move to using ssh certificates on our servers and remove all passwords.

That's what we do.

Since when? What do you use to manage and generate certificates?

Generate with ssh-keygen. Manage with a wiki. We are only so big, so it works fine.

That is not certificates. That is keys. Completely different.

I don't know what @scottalanmiller uses but ssh-keygen is used to generate ssh certificates as well.

From the man page:
ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).

But if you are automating certificate generation, you need to wrap this in something.

No, ssh-keygen does not do this (ssh certificate generation).

As you highlight, it can be used as part of the certificate process. But it cannot, and never will, be the certificate authority. Thus it is not the tool for this this.

You're actually mistaken because I've done it many times now. A Certification Authority, when it comes to openssh certificates, is really just a key pair that you carefully guard.

You create certificates by using the CA keys to sign other public keys from users and hosts. The result is a certificate named *-cert.pub

And you do all of this with the ssh-keygen utility.

Similar to how you can create CA and everything else for the more complex x509 certificates with just openssl.

Booted straight to the CentOS 4 ISO, went into linux rescue, updated the initrd img and bam. working system from the current (as of 4 days ago) manual disk images I made.
88b47d5c-c3dc-4635-ab9c-1ec25e69ab95-image.png

Next project to re-learn how they restore data files. Have not done that in almost 10 years. Having no virtual infrastructure to play with, prior to this, made that harder.

@JaredBusch said in Fedora 32 server disables root by default:

@scottalanmiller said in Fedora 32 server disables root by default:

@black3dynamite said in Fedora 32 server disables root by default:

@scottalanmiller said in Fedora 32 server disables root by default:

@black3dynamite said in Fedora 32 server disables root by default:

It's been like that since Fedora 31. At least with the netinstall everything iso.

Gotta be the Netinstall because we install this constantly, every few days, and in the Server Edition, it's not there by default.

root account is disabled with the following ISOs:
Fedora-Everything-netinst-x86_64-31-1.9.iso
Fedora-Server-dvd-x86_64-31-1.9.iso
Fedora-Server-netinst-x86_64-31-1.9.iso
Fedora-Workstation-Live-x86_64-31-1.9.iso

Must be in 1.9. We do these constantly and haven't seen it yet.

Was there more than one ISO release of Fedora 31? There is not always.

Not sure. I just looked and we are on the 1.9 ISO and it definitely has a different default.