F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Stephen Gallagher
sgallagh at redhat.com
Thu Jan 8 13:56:15 UTC 2015
On Thu, 2015-01-08 at 08:48 -0500, Chuck Anderson wrote:
> On Thu, Jan 08, 2015 at 08:43:48AM -0500, Stephen Gallagher wrote:
> > Can we clarify something here? Is this a request to change the defaults
> > globally for all Products/nonproduct installs?
> >
> > I would argue that it could be sensible to do this for Workstation and
> > non-product installs, but not for Server and Cloud.
> >
> > In the Server case, nearly every deployment is headless. Disabling root
> > login to ssh by default would mean that many people would have no way to
> > get into the system at all. (Yes, we could force the creation of a
> > non-root user at install time, but this user would by necessity be an
> > administrator capable of becoming root via sudo, so the distinction
> > is... fuzzy). The only other approach I could see for the headless
> > servers would be mandating the enrollment in an identity domain at
> > installation time (such as to FreeIPA or Active Directory).
>
> Having a non-root account with sudo is already more secure because the
> attacker would have to guess the username in addition to the password.
>
That's a perfect example of "security through obscurity". You are making
the false assumption that just because the username isn't 'root', it is
somehow difficult to identify. I'll grant you, this will make it harder
for a simple automated script-kiddie to get in, but it won't hamper a
targeted attack very much.
> > Neither of those approaches is anything like ideal, so I would argue
> > that Server should continue to operate with the SSH root login being
> > available by default, but perhaps add documentation to the install guide
> > recommending to disable it if other accounts are available; perhaps even
> > by adding a simple kickstart directive (but no UI element) to accomplish
> > this.
>
> I disagree. I think requiring a non-root account w/Admin to be
> created is the best way to go.
That is functionally equivalent to a root account. Once the user has the
password, they will just use 'sudo' with that same password. The battle
has been lost. The *only* change that this effects is to add some
guesswork to the username.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150108/4e78a9db/attachment-0001.sig>
More information about the devel
mailing list