On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote:
On Mon, 07 Oct 2019 10:38:32 +0200
Jakub Jelen <jjelen(a)redhat.com> wrote:
> On Mon, 2019-10-07 at 02:53 +0200, Marko Vojinovic wrote:
> > On Mon, 7 Oct 2019 10:21:03 +1100
> > Cameron Simpson <cs(a)cskk.id.au> wrote:
> > > On 07Oct2019 01:00, Marko Vojinovic <vvmarko(a)gmail.com> wrote:
> > > > On Sun, 06 Oct 2019 18:05:02 +0200
> > > > alciregi(a)gmail.com wrote:
> > > > > It could it be related to this change:
> > > > >
https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Passwor...
> > > >
> > > > As a side question --- I remember that this was the default
> > > > for
> > > > upstream OpenSSH since 2015, but was not adopted in Fedora
> > > > because
> > > > people who install Fedora on headless machines (or remotely)
> > > > would
> > > > have no other way of logging in after initial installation.
> > > > So
> > > > why
> > > > the change of heart now, what happened to the headless login
> > > > issue?
> > >
> > > Because one can generally set up a normal user, log in as them,
> > > then
> > > su or sudo.
> >
> > Was this not possible back in 2015?
> >
> > I guess I am asking what technically changed between then and
> > now,
> > so that we didn't block root back then and we are doing it now?
>
> Please, read the whole fedora change page. It answers all your
> questions.
Well, the relevant sentence from the change page says:
"Fedora was for many practical reasons keeping the old configuration
since then, but the difference is no longer bearable"
Can you please elaborate what were the "many practical reasons" that
prevented this from being changed for the last 5 years? And why are
they not equally practical now?
Mostly the unwillingness of people who were used to use root accounts
in Fedora and not enough alternatives how to override or set up
alternative during installation.
The initial change was half-baked proposed 5 years ago:
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
but never accepted by FeSCO (note sure if it was even proposed) and
started long discussions on mailing lists as linked from there.
Since then, we did not change the value to "no", but we disabled only
the password logins, we added a simple way how to override this in
anaconda installer and there are simple ways how to override it in
kickstarts or add a public ssh keys to authorized_keys files.
Don't get me wrong, I fully support this change, disabling ssh
root
login is the very first thing I do every time I install a new system.
And each time I ask myself why on earth isn't this the default, but I
sort-of remember (from various discussions on this mailing list back
in
2015 or so) that people had good reasons to keep it that way.
I think it was mostly testing and scratch boxes that needed root logins
(specific use cases), making sure that there is some other account that
is allowed to login after installation (installation problems). But I
think I did not manage to read that thread this year again.
And now
that I see the default is going to be changed, I'm curious what were
those reasons and what happened to them --- how come they were
good enough for the last five years, and are not good enough now?
5 years ago, there were no simple workarounds for the installation.
Even this year, the agreement was not really smooth and updating
installer was one of the requirements for the change to be approved:
https://pagure.io/fesco/issue/2133
This change request is in Fedora actually for more than 15 years:
https://bugzilla.redhat.com/show_bug.cgi?id=89216
Back in that time, this was not default even in upstream and many
people were using root accounts.
What
changed? Or else, why wasn't this done already back in 2015?
I think that over the years, the security practices shifted to better
solutions, people learned to use normal users, sudo and ssh keys, which
allowed us to do this finally. Originally the change would be a
surprise for users, but recently, people were surprised by the root
login allowed in Fedora, which also started to be dangerous.
Regards,
Jakub
Best, :-)
Marko
_______________________________________________
users mailing list -- users(a)lists.fedoraproject.org
To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org --
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.