About sshd(8) PermitRootLogin=no

Richard Z rz at linux-m68k.org
Mon Nov 24 14:49:08 UTC 2014 

On Mon, Nov 24, 2014 at 02:02:59PM +0100, Petr Lautrbach wrote:
> On 11/24/2014 01:57 PM, Tomas Mraz wrote:
> > On Po, 2014-11-24 at 12:37 +0000, P J P wrote:
> >>    Hello,
> >>
> >> Please see
> >>   -> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
> >>
> >> Last week this was discussed in the FST meeting and on the
> >> fedora-devel list subsequently. General consensus seems to be that it
> >> is okay to disable remote 'root' login via sshd(8). Above feature
> >> request is for the same.
> >>
> >> If you have any comments/suggestions/inputs, please feel free share
> >> them or edit the feature page as required.
> > 
> > For the ssh-inject feature you would need PermitRootLogin
> > without-password. Also I do not see as a risk to allow root login with
> > the public-key authentication so that might be a good compromise.
> > 
> > The reason the root login with password was kept allowed was the support
> > for vnc installation without kickstart as it was previously impossible
> > to create regular user in anaconda. Now that anaconda allows to create
> > regular user accounts we could disable sshd root login with password. We
> > just need to properly advertise that.
> 
> reference https://bugzilla.redhat.com/show_bug.cgi?id=89216
> 
> > 
> > The only remaining problem is for systems which have been installed
> > previously and have only root login and someone upgrades them to new
> > Fedora release. Here the system would be made inaccessible by the
> > openssh-server rpm upgrade from the old Fedora to F22.
> > 
> > I am afraid there is no easy solution for the problem above.
> > 
> 
> I think it's ok for upgrade between versions if it's promoted as a
> Fedora Feature.

removing root ssh with password is probably a good thing but admins who 
configured ssh with public-key auth probably have done that after spending 
a few thoughts on it and should not be shot in their feet so quickly.

Richard

---
Name and OpenPGP keys available from pgp key servers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20141124/e8903e83/attachment.sig>

More information about the security mailing list