F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Josh Boyer
jwboyer at fedoraproject.org
Thu Jan 8 14:40:16 UTC 2015
On Thu, Jan 8, 2015 at 8:43 AM, Stephen Gallagher <sgallagh at redhat.com> wrote:
>
>
>
> On Thu, 2015-01-08 at 13:42 +0100, Jaroslav Reznik wrote:
>> = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
>> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
>>
>> Change owner(s): P J P <pjp at fedoraproject.org> and Fedora Security Team
>>
>> To disable remote root login facility in sshd(8) by default.
>>
>> == Detailed Description ==
>> Sshd(8) daemon allows remote users to login as 'root' by default. This
>> provides remote attackers an option to brute force their way into a system.
>> Empirically it is observed that many users use their systems via 'root' login,
>> without creating non-root user and often have weak passwords for this mighty
>> account. sshd_config(5) has an option 'PermitRootLogin=yes|no' which controls
>> sshd(8) behaviour; it is set to be 'Yes' by default. Disabling remote root
>> login by setting PermitRootLogin=no would help to harden Fedora systems,
>> moving it an inch closer towards 'secure by default' future. Users can have
>> non-root accounts with weak passwords too, yet disabling remote root login
>> keeps an attacker a step away from getting full control on a system. There is
>> another option of disabling user login via password and require usage of
>> cryptographic keys for the same. But that could a next step in future.
>>
>> Please see -> https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html
>>
>> == Scope ==
>> * Proposal owners: to communicate with the Fedora maintainers of packages:
>> Anaconda, OpenSSH, GNOME, etc.
>> * Other developers: packages like Anaconda, GNOME etc. need to update their
>> workflow to enable compulsory non-root user account creation and ensure good
>> password strength for it.
>> * Release engineering: installer needs to ensure creation of non-root user
>> account with strong password. Similarly, all Fedora images must be created
>> with a non-root user account.
>> * Policies and guidelines: unknown yet.
>
>
> Can we clarify something here? Is this a request to change the defaults
> globally for all Products/nonproduct installs?
>
> I would argue that it could be sensible to do this for Workstation and
> non-product installs, but not for Server and Cloud.
IIRC, the Cloud images don't have a root password set, which means you
can't log in as root at all by default. They have their cloud_init
thing, which is supposed to copy ssh keys onto the image. So unless
I'm confused (which is possible because my understanding is...
cloudy), the Cloud product is essentially already more strict than
this feature proposes.
> Let's make this change happen with a per-product config default, with
> Workstation and Non-product setups disabling root SSH login by default.
> Server should leave SSH login enabled (arguably conditional on whether
> or not the user enrolls in a domain).
We can take this back to Workstation for discussion I guess.
josh
More information about the devel
mailing list