Hi! On Mon, Apr 15, 2019 at 08:53:58PM -0600, Chris Murphy wrote: > The gist is that Fedora uses a (silently) modified sshd_config from > openssh upstream, which sets `PermitRootLogin yes` instead of the > upstream default of `prohibit-password` and this sounds like it would > be an important or higher impact security impact leaving it set to > yes. > > Could someone reply here or in the bug with such an assessment? After reading the mailing list discussion[1] about setting it to "no" by default, I'm not sure if I can give a proper recommendation here. I've not verified all claims in the thread, but it seems that ssh is disabled for workstation installs anyway, cloud version seems to have something similar in cloud-init. There was a request to disable password login either via firstboot or when creating a user. Currently it seems that the installer allows having no user account but only the root user, so disabling this straight away would lock the box if there is no local login available (e.g. remote installations) I'd personally go for "prohibit-password" (usually you can access console via some mechanism), but for compatibility reasons I'd go for configuring it myself, and leave the default on "yes". After all the "root password" is known to be "important", so if someone sets this to a simple password it is a risk they take on knowingly. Anaconda warns on really simple passwords anyway, so the user definitely should know that they are doing something bad. On the mailing list there was a call for FESCo to review this. I also think FESCo is the proper place to decide, as it is not so much a security issue, but a policy decision. All the best, David [1] https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/KZPSAQID7XGYVFRAINAOSYMZ4LPR7EHL/
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx
