About sshd(8) PermitRootLogin=no
Tomas Mraz
tmraz at redhat.com
Mon Nov 24 12:57:24 UTC 2014
On Po, 2014-11-24 at 12:37 +0000, P J P wrote:
> Hello,
>
> Please see
> -> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
>
> Last week this was discussed in the FST meeting and on the
> fedora-devel list subsequently. General consensus seems to be that it
> is okay to disable remote 'root' login via sshd(8). Above feature
> request is for the same.
>
> If you have any comments/suggestions/inputs, please feel free share
> them or edit the feature page as required.
For the ssh-inject feature you would need PermitRootLogin
without-password. Also I do not see as a risk to allow root login with
the public-key authentication so that might be a good compromise.
The reason the root login with password was kept allowed was the support
for vnc installation without kickstart as it was previously impossible
to create regular user in anaconda. Now that anaconda allows to create
regular user accounts we could disable sshd root login with password. We
just need to properly advertise that.
The only remaining problem is for systems which have been installed
previously and have only root login and someone upgrades them to new
Fedora release. Here the system would be made inaccessible by the
openssh-server rpm upgrade from the old Fedora to F22.
I am afraid there is no easy solution for the problem above.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the security
mailing list