Abotu setting 'PermitRootLogin=no' in sshd_config

Petr Lautrbach plautrba at redhat.com
Tue Nov 25 20:20:35 UTC 2014

On 11/21/2014 08:11 AM, P J P wrote:
>     Hello,
> Sshd(8) daemon by default allows remote users to login as root.
>   1. Is that really necessary?

The original bug report [1] was kept opened mainly due to the lack of
adding user functionality in anaconda. This is no more true, anaconda
has ability to add an user although it's not enforced.

[1]  https://bugzilla.redhat.com/show_bug.cgi?id=89216

>   2. Lot of users use their systems as root, without even creating a non-root user.
>      Such practices need to be discouraged, not allowing remote root login could be
>      useful in that.

There are several use cases when local non-root users are not needed at
all as others already pointed out.

The change itself is simple however the problem is more complex overall.
Here are some thoughts I have about the change:

- administrators are alerted when they use weak password for root by

- Fedora Workstation and Live installations don't enable sshd.service

- even if the default was 'PermitRootLogin without-password' you would
need to inject an ssh key and when you are able to inject a key, you are
able to change the default configuration

- I personally use several Fedora systems without non-root users in
local network.

- default sudoers uses password of an user for authentication, so even
when I have a non-root user in wheel group, I only need one user's
password to become root

- how much users of these enforced users will be 'user' or 'test'?

Petr Lautrbach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141125/41f47e49/attachment.sig>

More information about the devel mailing list