F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Miloslav Trmač
mitr at redhat.com
Thu Jan 8 19:03:30 UTC 2015
----- Original Message -----
> > = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
> > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
> In the Server case, nearly every deployment is headless. Disabling root
> login to ssh by default would mean that many people would have no way to
> get into the system at all. (Yes, we could force the creation of a
> non-root user at install time, but this user would by necessity be an
> administrator capable of becoming root via sudo, so the distinction
> is... fuzzy).
No, there is an important conceptual distinction between logging in as a “hard-coded technical account named root“ and logging in as a real person (or a bacula/ansible service account, even if ultimately root-privileged through some mechanism), as soon as more than one person has administrative access: attribution and accountability.
OTOH, the security distinction between brute-forcing (constant “root”+password) or (username+password) is trivial enough that I don’t think the change as proposed makes sense.
> The only other approach I could see for the headless
> servers would be mandating the enrollment in an identity domain at
> installation time (such as to FreeIPA or Active Directory).
>
> Neither of those approaches is anything like ideal,
I think we should eventually end up forcing _all_ logins (both remote and local) to actually identify a security principal (i.e. have a local user set up or a domain membership as a required step during installation). You are right that at this moment this would not go smoothly; we should make it smooth enough first, and then just remove the root password altogether to force going through a real account first.
(https://lists.fedoraproject.org/pipermail/security/2014-December/002039.html )
> We can also consider opening an RFE against realmd, so that if the
> machine becomes enrolled in a domain, it disables the remote root login
> by default. I'm not sure about that, however.
That seems like a fairly confusing combination of a mechanism (realmd as a tool “for joining domains”) and distribution policy (Fedora prevents/recommends not to use logins directly as root).
Mirek
More information about the devel
mailing list