On Mon, 07 Oct 2019 15:25:28 +0200
Jakub Jelen <jjelen(a)redhat.com> wrote:
On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote:
> On Mon, 07 Oct 2019 10:38:32 +0200
> Can you please elaborate what were the "many practical reasons" that
> prevented this from being changed for the last 5 years? And why are
> they not equally practical now?
Mostly the unwillingness of people who were used to use root accounts
in Fedora and not enough alternatives how to override or set up
alternative during installation.
The initial change was half-baked proposed 5 years ago:
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
Yes, that's what I remember being proposed, and eventually rejected.
There were long discussions of this on various mailing lists. I mostly
remember this one:
https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html
but there were others as well...
but never accepted by FeSCO (note sure if it was even proposed) and
started long discussions on mailing lists as linked from there.
Since then, we did not change the value to "no", but we disabled only
the password logins, we added a simple way how to override this in
anaconda installer and there are simple ways how to override it in
kickstarts or add a public ssh keys to authorized_keys files.
I see, so there indeed were some technical improvements, to anaconda and
kickstart, that circumvented the issues people had back then. That is
what I was looking for --- the technical upgrades that made changing
the default a viable proposal. I'll read up on those in more detail.
I think it was mostly testing and scratch boxes that needed root
logins (specific use cases), making sure that there is some other
account that is allowed to login after installation (installation
problems). But I think I did not manage to read that thread this year
again.
I just re-read the discussion on the devel list from 2014. And yes, the
main complaint was that some people were deploying headless VM/test
systems where they didn't want to create a non-root user. Changing the
default would break a bunch of their existing kickstart scripts...
Another scenario that was mentioned by someone was that if /home were
network-mounted, and the network would fail, it would leave the system
inaccessible via ssh.
5 years ago, there were no simple workarounds for the installation.
Even this year, the agreement was not really smooth and updating
installer was one of the requirements for the change to be approved:
https://pagure.io/fesco/issue/2133
I see, so it was an uphill battle even this time around. But this
time it was finally won! Congratulations! :-)
This change request is in Fedora actually for more than 15 years:
https://bugzilla.redhat.com/show_bug.cgi?id=89216
Back in that time, this was not default even in upstream and many
people were using root accounts.
Oh, wow, unbelievable, reported on 2003-04-21 !!! So this issue is even
older than Fedora itself --- from the days of Red Hat 9 (Shrike) all
the way to Fedora 31... I thought this was first raised in 2015, had no
idea it is as old as 2003...
I think that over the years, the security practices shifted to
better
solutions, people learned to use normal users, sudo and ssh keys,
which allowed us to do this finally. Originally the change would be a
surprise for users, but recently, people were surprised by the root
login allowed in Fedora, which also started to be dangerous.
So essentially it was a psychological thing --- it took all this time
just to change people's minds about this, re-educate them, and wait
until they change their practices of remotely logging in as root. With a
couple of technical modifications to anaconda and kickstart.
This is the info I was looking for, thanks a lot! :-)
But I'm still amazed... A security bug/rfe from 2003, closed in 2019...
Just wow...
Thanks, :-)
Marko