On 11/24/2014 01:57 PM, Tomas Mraz wrote: reference https://bugzilla.redhat.com/show_bug.cgi?id=89216 I think it's ok for upgrade between versions if it's promoted as a Fedora Feature. Petr -- Petr Lautrbach

On 11/24/2014 03:49 PM, Richard Z wrote: ... I agree. It should be documented at least in Fedora release notes and as a Fedora Feature preferably accepted by FESCO. However it would effectively affect only those admins who haven't touched /etc/ssh/sshd_config file given that this file is marked as %config(noreplace). Petr -- Petr Lautrbach

On Mon, Nov 24, 2014 at 01:57:24PM +0100, Tomas Mraz wrote: The config file is marked as "noreplace". This means that it's only an issue in cases where the previous system has also never had its sshd config touched. (And suggests that a somewhat kludgey but functional workaroud would be to ensure that it _is_ touched before the install -- possibly %pre or %pretrans scripts would be sufficient.) -- Matthew Miller <mattdm(a)fedoraproject.org&gt; Fedora Project Leader

On 25/11/14 08:04, P J P wrote: Hi All, Are we talking here physical releases ? Or just infra or just best advice for people ? I fear that if we do disable SSH root logins, this will make some people's lives a lot harder. But could somebody please be so kind to clarify what exactly we are considering here ? Thank you. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore(a)internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore(a)fedoraproject.org

I have two divergent opinions on this issue. Personally, I agree with Theo de Randt on the reasoning behind the default PermitRootLogin setting in OpenSSH. If your root password is of adequate strength (in the event that you're not mandating the use of keys), then realistically the risk of exposing root logins over SSH is minimal (excluding any unforeseen exploits in OpenSSH). I trust the mathematics of cryptography. On the other hand, I can't vouch for the security of other user's systems. I have a suspicion that the majority of brute force attacks that succeed occur on systems where the user is unaware that sshd is running and/or the system was never meant to be reachable from the internet. Sucuri found that 58% of brute force attacks were conducted against the root account [1]. A full list of the passwords tried by attackers can be found here [2]. The strength of passwords that are tried are obviously extremely weak. Since setting PermitRootLogin to no will minimize the footprint of this attack, I'd be more than happy to see it implemented. Anyone who wants to sets PermitRootLogin to yes, is likely well aware of the importance of strong passwords and the visibility of their system over the internet. Brandon Vincent [1] http://blog.sucuri.net/2013/07/ssh-brute-force-the-10-year-old-attack-tha... [2] http://labs.sucuri.net/dump/sshd_bruteforce_list.txt?_ga=1.53033320.11590...

Hello, ----- Original Message ----- That’s work for the user, and probably even for the programmer more work than automatically detecting the situation and not changing the configuration. “Hello, this is a program telling you to do manually something a program could easily do” is rarely the best answer. Mirek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Dec 01, 2014 at 11:26:30PM +0100, Reindl Harald wrote: This makes a lot of sense. I still agree with sane defaults that don't allow dumb things to happen out of the box but we should also be looking at ways for people to determine whether or not their systems are setup in an insecure manner. Some of this already exists in the SCAP world but is mostly focused on compliance testing and not 'how to make sure I'm not going to get pwned'. Perhaps we need to make SCAP rules that check for obvious deficiencies and then make that increadibly easy for an admin to run. Then issues like allowing root access via ssh (directly) would come up on the admin's radar and the admin could fix it. There are many things I'm running on my server that I *hope* are configured appropriately. It would be great if there was a way for my system to be scanned to see if there are things I could be doing better. - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security sparks(a)redhat.com - sparks(a)fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------

On 02/12/14 07:28 AM, Tristan Santore wrote: More to the point, who cares in that situation, many cloud providers use the VNC terminal to provide "console" access which is then provided via HTTPS to the end user (so the only unencrypted part is from your VM to the host server, in other words if an attacker can sniff that they own the box). I, along with many cloud people, would be highly annoyed to have the root account disabled by default. But the times are a changing so maybe it's not such a terrible thing. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

(Randomly picking a place in the thread to insert this…) Fundamentally, as someone has already pointed out, root login enabled/disabled doesn’t matter for _authentication_ strength: The pair of (guessable or known user name, “root”) and (user’s password, root password) can be equally strong as the pair of “root” and “a password as strong as the two previous passwords together”. OTOH, not all security is pure computer security: it is a good idea to _attribute_ every action to a physical person, so that physical security mechanisms (disciplinary action, lawsuits, guns) can be used. In this sense, the “root” account is a very strange concept, and it is being used in two very different ways: 1) as an authentication system bypass/override (very similar to “enter the BIOS password to bypass OS security altogether”), and 2) as a conventional default user name to use for clearly single-physical-user OS installations (personal VMs). Now, arguably, in a perfect design, neither of these should be needed: For 1), just use the BIOS password and boot into single-user mode (which then must be configured not to ask for a password), or perhaps into a special variant of the standard multi-user mode (so that networking and the IPA client works) with an unauthenticated root shell open. This would break for servers with no or difficult physical access and no KVM/serial console set up; is that a frequent and significant case? For 2), use the same user name you use on the host or your other computers, and set up sudo to give this user in the guest full control. This could, if we can automate the sudo part, even be more convenient: “ssh hostname” now works without having to prepend root@, or having to add such a configuration to ssh_config. So I guess the long-term ideal would be to stop talking about the “root password” altogether (i.e. have an anaconda install end up with root password authentication disabled, and for “the” administrator, set up sudo to be authenticated with their own, not root’s nonexistent, password), and to stop recommending _any_ log ins directly to the root account. That would also implicitly resolve the sshd discussion. Apart from older systems, which can stay unchanged on upgrades easily enough, there must be other cases where this would cause difficulty. One obvious disadvantage of disabling the root password would be that it essentially forces any organization with multiple sysadmins to deploy IPA or something similar for managing all the individual’s accounts and passwords; I’m sure this can be argued to be another advantage but some sysadmins who used a shared password for a few decades (and a few generations of sysadmins) will still disagree. Mirek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Dec 04, 2014 at 10:00:54AM -0500, Miloslav Trmač wrote: Well, there are a couple advantages for attacking the root account (and this is why it's done so often). First, you already know the username. That's sometimes half the puzzle! You're not trying to guess a username *and* a password but rather only trying to guess a password. You're halfway there already! Now all you have to do is brute force the password. Second, if you get into the account you know you've struck gold. You now, effectively, own the system. It's not like being able to login as a user and then hoping that you might have sudo access to do other things (like change root's password). Allowing root access is just dangerous. If someone really needs it they can turn it on but I suspect many people don't even realize the access exists and 'fluffybunny' isn't going to keep their systems safe. - --Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security sparks(a)redhat.com - sparks(a)fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------

Good point, this totally breaks anyone not using local authentication, I think based on that this feature change really needs to be blocked. On 16/12/14 08:14 AM, Dennis Gilmore wrote: -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Sure, idea is to make it conditional and not break thing too rough. In that, during the boot process the user could be prompted to create a non-root account, to which he/she can choose not to create one, in which case they would be warned about/against it. Exactly! All the use cases above and similar others are typical power user's ones, who can easily re-enable remote root login as and when required. --- Regards -Prasad http://feedmug.com

Sure, I agree. I'm not sure how these VM images are created and deployed, but there must be some way to handle such cases, ex -> https://lists.fedoraproject.org/pipermail/devel/2014-November/204663.html As said before, intention is not to break things too rough and bother users. But to make things secure while keeping them usable. If they are not usable, what good is that security? --- Regards -Prasad http://feedmug.com

On Wed, 17 Dec 2014 16:05:43 +0000 (UTC) P J P <pj.pandit(a)yahoo.co.in&gt; wrote: These are specific cases, the problem is not crippling the general case. Exactly, removing root access by default is not usable. You can make it easy to disable it after the fact, or you can have detection mechanisms to see if there are other ways into the system. But you have to work to implement them, not block access by default and then go tell people there are workarounds. Simo. -- Simo Sorce * Red Hat, Inc * New York