On Po, 2014-11-24 at 12:37 +0000, P J P wrote: > Hello, > > Please see > -> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no > > Last week this was discussed in the FST meeting and on the > fedora-devel list subsequently. General consensus seems to be that it > is okay to disable remote 'root' login via sshd(8). Above feature > request is for the same. > > If you have any comments/suggestions/inputs, please feel free share > them or edit the feature page as required. For the ssh-inject feature you would need PermitRootLogin without-password. Also I do not see as a risk to allow root login with the public-key authentication so that might be a good compromise. The reason the root login with password was kept allowed was the support for vnc installation without kickstart as it was previously impossible to create regular user in anaconda. Now that anaconda allows to create regular user accounts we could disable sshd root login with password. We just need to properly advertise that. The only remaining problem is for systems which have been installed previously and have only root login and someone upgrades them to new Fedora release. Here the system would be made inaccessible by the openssh-server rpm upgrade from the old Fedora to F22. I am afraid there is no easy solution for the problem above. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
