Joakim Tjernlund wrote:
How is local root pw any different than domain pw? In your view remote root access is a big nono so sssd should also enforce no remote root login in that case.
Yes, remote root password is a big no-no. Because it would be effective on all systems at once circumventing most security mechanisms.
I really appreciate sssd denying root completely. Most people concerned about security surely agree.
If you personally don't like this important aspect of sssd just use something else.
You just said it: "best practice", not a law. In this context, sssd dictates policy and that is not sssd's call to make IMHO. You should encourage best practice though. One day we will get there but not today :)
It seems you don't have proper operational processes on your side to handle incidents and lock out your users from doing something bad. Then you ask for a significant security relevant change in a widely used component. That sucks.
Ciao, Michael.