About sshd(8) PermitRootLogin=no
Petr Lautrbach
plautrba at redhat.com
Mon Nov 24 13:02:59 UTC 2014
On 11/24/2014 01:57 PM, Tomas Mraz wrote:
> On Po, 2014-11-24 at 12:37 +0000, P J P wrote:
>> Hello,
>>
>> Please see
>> -> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
>>
>> Last week this was discussed in the FST meeting and on the
>> fedora-devel list subsequently. General consensus seems to be that it
>> is okay to disable remote 'root' login via sshd(8). Above feature
>> request is for the same.
>>
>> If you have any comments/suggestions/inputs, please feel free share
>> them or edit the feature page as required.
>
> For the ssh-inject feature you would need PermitRootLogin
> without-password. Also I do not see as a risk to allow root login with
> the public-key authentication so that might be a good compromise.
>
> The reason the root login with password was kept allowed was the support
> for vnc installation without kickstart as it was previously impossible
> to create regular user in anaconda. Now that anaconda allows to create
> regular user accounts we could disable sshd root login with password. We
> just need to properly advertise that.
reference https://bugzilla.redhat.com/show_bug.cgi?id=89216
>
> The only remaining problem is for systems which have been installed
> previously and have only root login and someone upgrades them to new
> Fedora release. Here the system would be made inaccessible by the
> openssh-server rpm upgrade from the old Fedora to F22.
>
> I am afraid there is no easy solution for the problem above.
>
I think it's ok for upgrade between versions if it's promoted as a
Fedora Feature.
Petr
--
Petr Lautrbach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20141124/dbc14b55/attachment.sig>
More information about the security
mailing list