On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote: > On Mon, 07 Oct 2019 10:38:32 +0200 > Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > > > On Mon, 2019-10-07 at 02:53 +0200, Marko Vojinovic wrote: > > > On Mon, 7 Oct 2019 10:21:03 +1100 > > > Cameron Simpson <cs@xxxxxxxxxx> wrote: > > > > On 07Oct2019 01:00, Marko Vojinovic <vvmarko@xxxxxxxxx> wrote: > > > > > On Sun, 06 Oct 2019 18:05:02 +0200 > > > > > alciregi@xxxxxxxxx wrote: > > > > > > It could it be related to this change: > > > > > > https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH > > > > > > > > > > As a side question --- I remember that this was the default > > > > > for > > > > > upstream OpenSSH since 2015, but was not adopted in Fedora > > > > > because > > > > > people who install Fedora on headless machines (or remotely) > > > > > would > > > > > have no other way of logging in after initial installation. > > > > > So > > > > > why > > > > > the change of heart now, what happened to the headless login > > > > > issue? > > > > > > > > Because one can generally set up a normal user, log in as them, > > > > then > > > > su or sudo. > > > > > > Was this not possible back in 2015? > > > > > > I guess I am asking what technically changed between then and > > > now, > > > so that we didn't block root back then and we are doing it now? > > > > Please, read the whole fedora change page. It answers all your > > questions. > > Well, the relevant sentence from the change page says: > > "Fedora was for many practical reasons keeping the old configuration > since then, but the difference is no longer bearable" > > Can you please elaborate what were the "many practical reasons" that > prevented this from being changed for the last 5 years? And why are > they not equally practical now? Mostly the unwillingness of people who were used to use root accounts in Fedora and not enough alternatives how to override or set up alternative during installation. The initial change was half-baked proposed 5 years ago: https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no but never accepted by FeSCO (note sure if it was even proposed) and started long discussions on mailing lists as linked from there. Since then, we did not change the value to "no", but we disabled only the password logins, we added a simple way how to override this in anaconda installer and there are simple ways how to override it in kickstarts or add a public ssh keys to authorized_keys files. > Don't get me wrong, I fully support this change, disabling ssh root > login is the very first thing I do every time I install a new system. > And each time I ask myself why on earth isn't this the default, but I > sort-of remember (from various discussions on this mailing list back > in > 2015 or so) that people had good reasons to keep it that way. I think it was mostly testing and scratch boxes that needed root logins (specific use cases), making sure that there is some other account that is allowed to login after installation (installation problems). But I think I did not manage to read that thread this year again. > And now > that I see the default is going to be changed, I'm curious what were > those reasons and what happened to them --- how come they were > good enough for the last five years, and are not good enough now? 5 years ago, there were no simple workarounds for the installation. Even this year, the agreement was not really smooth and updating installer was one of the requirements for the change to be approved: https://pagure.io/fesco/issue/2133 This change request is in Fedora actually for more than 15 years: https://bugzilla.redhat.com/show_bug.cgi?id=89216 Back in that time, this was not default even in upstream and many people were using root accounts. > What > changed? Or else, why wasn't this done already back in 2015? I think that over the years, the security practices shifted to better solutions, people learned to use normal users, sudo and ssh keys, which allowed us to do this finally. Originally the change would be a surprise for users, but recently, people were surprised by the root login allowed in Fedora, which also started to be dangerous. Regards, Jakub > Best, :-) > Marko > > > > > _______________________________________________ > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx