Abotu setting 'PermitRootLogin=no' in sshd_config
plautrba at redhat.com
Tue Nov 25 20:20:35 UTC 2014
On 11/21/2014 08:11 AM, P J P wrote:
> Sshd(8) daemon by default allows remote users to login as root.
> 1. Is that really necessary?
The original bug report  was kept opened mainly due to the lack of
adding user functionality in anaconda. This is no more true, anaconda
has ability to add an user although it's not enforced.
> 2. Lot of users use their systems as root, without even creating a non-root user.
> Such practices need to be discouraged, not allowing remote root login could be
> useful in that.
There are several use cases when local non-root users are not needed at
all as others already pointed out.
The change itself is simple however the problem is more complex overall.
Here are some thoughts I have about the change:
- administrators are alerted when they use weak password for root by
- Fedora Workstation and Live installations don't enable sshd.service
- even if the default was 'PermitRootLogin without-password' you would
need to inject an ssh key and when you are able to inject a key, you are
able to change the default configuration
- I personally use several Fedora systems without non-root users in
- default sudoers uses password of an user for authentication, so even
when I have a non-root user in wheel group, I only need one user's
password to become root
- how much users of these enforced users will be 'user' or 'test'?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the devel