F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Dennis Gilmore dennis at ausil.us
Thu Jan 8 23:30:22 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 08 Jan 2015 08:43:48 -0500
Stephen Gallagher <sgallagh at redhat.com> wrote:

> 
> 
> 
> On Thu, 2015-01-08 at 13:42 +0100, Jaroslav Reznik wrote:
> > = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
> > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
> > 
> > Change owner(s): P J P <pjp at fedoraproject.org> and Fedora Security
> > Team
> > 
> > To disable remote root login facility in sshd(8) by default. 
> > 
> > == Detailed Description ==
> > Sshd(8) daemon allows remote users to login as 'root' by default.
> > This provides remote attackers an option to brute force their way
> > into a system. Empirically it is observed that many users use their
> > systems via 'root' login, without creating non-root user and often
> > have weak passwords for this mighty account. sshd_config(5) has an
> > option 'PermitRootLogin=yes|no' which controls sshd(8) behaviour;
> > it is set to be 'Yes' by default. Disabling remote root login by
> > setting PermitRootLogin=no would help to harden Fedora systems,
> > moving it an inch closer towards 'secure by default' future. Users
> > can have non-root accounts with weak passwords too, yet disabling
> > remote root login keeps an attacker a step away from getting full
> > control on a system. There is another option of disabling user
> > login via password and require usage of cryptographic keys for the
> > same. But that could a next step in future.
> > 
> > Please see ->
> > https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html 
> > 
> > == Scope ==
> > * Proposal owners: to communicate with the Fedora maintainers of
> > packages: Anaconda, OpenSSH, GNOME, etc.
> > * Other developers: packages like Anaconda, GNOME etc. need to
> > update their workflow to enable compulsory non-root user account
> > creation and ensure good password strength for it.
> > * Release engineering: installer needs to ensure creation of
> > non-root user account with strong password. Similarly, all Fedora
> > images must be created with a non-root user account.
> > * Policies and guidelines: unknown yet.
> 
> 
> Can we clarify something here? Is this a request to change the
> defaults globally for all Products/nonproduct installs?
> 
> I would argue that it could be sensible to do this for Workstation and
> non-product installs, but not for Server and Cloud.

I actually disagree here. I for one do non-product installs on both
server and desktop environments. I set a root password at install time
and post install join the machine to my ipa domain to get user accounts
sorted. I often need to setup dns entries post install for joining the
domain to work. while the desktop machines I can log in directly as
root, the servers are generally virtual machines that are headless.

> In the Server case, nearly every deployment is headless. Disabling
> root login to ssh by default would mean that many people would have
> no way to get into the system at all. (Yes, we could force the
> creation of a non-root user at install time, but this user would by
> necessity be an administrator capable of becoming root via sudo, so
> the distinction is... fuzzy). The only other approach I could see for
> the headless servers would be mandating the enrollment in an identity
> domain at installation time (such as to FreeIPA or Active Directory).
that is not always possible

> Neither of those approaches is anything like ideal, so I would argue
> that Server should continue to operate with the SSH root login being
> available by default, but perhaps add documentation to the install
> guide recommending to disable it if other accounts are available;
> perhaps even by adding a simple kickstart directive (but no UI
> element) to accomplish this.

there likely needs to be options in kickstart and the installer for
enabling the different types of options people could want
 
> We can also consider opening an RFE against realmd, so that if the
> machine becomes enrolled in a domain, it disables the remote root
> login by default. I'm not sure about that, however.
> 
> 
> In the case of Cloud, I think the point is basically moot, since
> cloud-init should be handling all the relevant setup for this in any
> case.
> 
> 
> tl;dr:
> Let's make this change happen with a per-product config default, with
> Workstation and Non-product setups disabling root SSH login by
> default. Server should leave SSH login enabled (arguably conditional
> on whether or not the user enrolls in a domain).

lets make this something configurable at install time

Dennis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUrxMOAAoJEH7ltONmPFDRESsQAKLnVk0FfStm/Zr9arNnatCP
OwFwfOhgWP8KwHxEE9ZN+RKnjv2HY6dE5CC3bsaJob2aSkyQXxxHgH+LO3KowEqf
BO1YM0gjiVYINoNi3Kl4juHy3otvO9x5sw6p9yPv//yIHy0e6gkq9mfAdx+2MFoK
An5ysrj+9t4fj1ojUk7Q5+lKnd7Gl5B2veEr8XgDaTlSvgOoTEa7FCfyP6klSJk7
3SYwzYredY9fcNa/cZg8wRiuKIovg+SpXVFqR1aG7Fgu3VAgo4pShSRV/Yt3GdLh
lOJYd7l/u5fGEtZt2D3+sVRfHZcilD8WtplcUnzvsOEbecKpSZnEBa7+tlWLE/2/
FwFvSf3vx3jeWXqSTkNTM0qFfenj/JGoO1XtXmPrgFDjwZebHUU/yDGXe6XdbyiU
8gx08F85JbwDH09AE0MItVsEl4Gm1cMUIDLa4vrkpH234C444zumM2dIDJTx0Vt+
essJTQl4hu1bhEPWFdPwDRUmTJILBFwLRlvxohPLA/wBBG5Wsn6Ue6sKbV9PoBoP
znJQh7eEm5Jh7ddizC2xk4EMTD1wNnELBfbPEBoH/5JPXUwtAHTZOW1KilvR0R90
94Go6PIPA4GlewbRy1KLSPYR8ThK9+lVLsQgH3VQQJ39QMEZpMMmhfR8Nsl6k4sg
Eci/9pKxw+OHPPBp83ey
=MeRb
-----END PGP SIGNATURE-----


More information about the devel mailing list