On Po, 2014-11-24 at 15:49 +0100, Richard Z wrote: > On Mon, Nov 24, 2014 at 02:02:59PM +0100, Petr Lautrbach wrote: > > On 11/24/2014 01:57 PM, Tomas Mraz wrote: > > > On Po, 2014-11-24 at 12:37 +0000, P J P wrote: > > >> Hello, > > >> > > >> Please see > > >> -> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no > > >> > > >> Last week this was discussed in the FST meeting and on the > > >> fedora-devel list subsequently. General consensus seems to be that it > > >> is okay to disable remote 'root' login via sshd(8). Above feature > > >> request is for the same. > > >> > > >> If you have any comments/suggestions/inputs, please feel free share > > >> them or edit the feature page as required. > > > > > > For the ssh-inject feature you would need PermitRootLogin > > > without-password. Also I do not see as a risk to allow root login with > > > the public-key authentication so that might be a good compromise. > > > > > > The reason the root login with password was kept allowed was the support > > > for vnc installation without kickstart as it was previously impossible > > > to create regular user in anaconda. Now that anaconda allows to create > > > regular user accounts we could disable sshd root login with password. We > > > just need to properly advertise that. > > > > reference https://bugzilla.redhat.com/show_bug.cgi?id=89216 > > > > > > > > The only remaining problem is for systems which have been installed > > > previously and have only root login and someone upgrades them to new > > > Fedora release. Here the system would be made inaccessible by the > > > openssh-server rpm upgrade from the old Fedora to F22. > > > > > > I am afraid there is no easy solution for the problem above. > > > > > > > I think it's ok for upgrade between versions if it's promoted as a > > Fedora Feature. > > removing root ssh with password is probably a good thing but admins who > configured ssh with public-key auth probably have done that after spending > a few thoughts on it and should not be shot in their feet so quickly. That's solved by 'PermitRootLogin without-password' which I think should be the change and not 'PermitRootLogin no'. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
