F22 System Wide Change: Set sshd(8) PermitRootLogin=no

P J P pj.pandit at yahoo.co.in
Tue Jan 13 04:53:43 UTC 2015 

> On Tuesday, 13 January 2015 3:06 AM, Miloslav Trmač wrote:
> (The general theme of this mail: Being flexible is fine, and establishing this 
> through this discussion is great; however, ultimately the Change proposal needs 
> to document the _specific outcome_ of that discussion.²)

  I understand, I'll do that.

> “Can be” or “will be”?  How?  It is vaguely worrying that the Change proposal 
> explicitly lists only the most trivial task to do (change a sshd.conf option) 
> and is only fairly generic about how other parts of the OS and users need to 
> and/or will adapt.

  Well, part of it was due to unknown use-cases of how users would be affected by this change. Otherwise, immediate straight forward effect is that users would have to create & use non-root accounts first. I've tried to collate more details

  here -> https://www.piratepad.ca/p/ssh-remoterootloigin

> “Could conditionally“…  With my FESCo hat on, during the Change Checkpoints 
> FESCo will need to know whether the Change is sufficiently complete or whether 
> to fall back to the contingency plan.  Having a “Could conditionally” nailed 
> down to yes or no would prevent general unhappiness if the respective package 
> maintainers thought that they have done the right thing and FESCo during review 
> suddenly decided that the right thing is the opposite.

  Right, I understand. It's 'could conditionally' because it's still early stage proposed change in workflow.

> So this proposal only helps if we hope that a bot won’t try the right user name; 
> calling this security by obscurity is not too wide off the mark.


  I beg to differ here a little. Because nothing is stopping them from trying non-root accounts now and even with 'without-password' option, nothing changes for non-root accounts. The proposed change and use of 'PermitRootLogin' option is only to restrict remote 'root' access. IMO that's not obscurity.

So, we do seem to have consensus(at least no opposition) for 'PermitRootLogin=without-password' option. I'll update the feature page with it and details about the specific use-cases.

Thank you.
---
Regards
   -Prasad
http://feedmug.com

More information about the devel mailing list