F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Miloslav Trmač mitr at redhat.com
Thu Jan 8 19:03:30 UTC 2015 

----- Original Message -----
> > = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
> > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

> In the Server case, nearly every deployment is headless. Disabling root
> login to ssh by default would mean that many people would have no way to
> get into the system at all. (Yes, we could force the creation of a
> non-root user at install time, but this user would by necessity be an
> administrator capable of becoming root via sudo, so the distinction
> is... fuzzy).

No, there is an important conceptual distinction between logging in as a “hard-coded technical account named root“ and logging in as a real person (or a bacula/ansible service account, even if ultimately root-privileged through some mechanism), as soon as more than one person has administrative access: attribution and accountability.

OTOH, the security distinction between brute-forcing (constant “root”+password) or (username+password) is trivial enough that I don’t think the change as proposed makes sense.

> The only other approach I could see for the headless
> servers would be mandating the enrollment in an identity domain at
> installation time (such as to FreeIPA or Active Directory).
> 
> Neither of those approaches is anything like ideal,

I think we should eventually end up forcing _all_ logins (both remote and local) to actually identify a security principal (i.e. have a local user set up or a domain membership as a required step during installation).  You are right that at this moment this would not go smoothly; we should make it smooth enough first, and then just remove the root password altogether to force going through a real account first.

(https://lists.fedoraproject.org/pipermail/security/2014-December/002039.html )


> We can also consider opening an RFE against realmd, so that if the
> machine becomes enrolled in a domain, it disables the remote root login
> by default. I'm not sure about that, however.

That seems like a fairly confusing combination of a mechanism (realmd as a tool “for joining domains”) and distribution policy (Fedora prevents/recommends not to use logins directly as root).
     Mirek

More information about the devel mailing list