On Mon, 07 Oct 2019 15:25:28 +0200 Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote: > > On Mon, 07 Oct 2019 10:38:32 +0200 > > Can you please elaborate what were the "many practical reasons" that > > prevented this from being changed for the last 5 years? And why are > > they not equally practical now? > > Mostly the unwillingness of people who were used to use root accounts > in Fedora and not enough alternatives how to override or set up > alternative during installation. > > The initial change was half-baked proposed 5 years ago: > > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no Yes, that's what I remember being proposed, and eventually rejected. There were long discussions of this on various mailing lists. I mostly remember this one: https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html but there were others as well... > but never accepted by FeSCO (note sure if it was even proposed) and > started long discussions on mailing lists as linked from there. > > Since then, we did not change the value to "no", but we disabled only > the password logins, we added a simple way how to override this in > anaconda installer and there are simple ways how to override it in > kickstarts or add a public ssh keys to authorized_keys files. I see, so there indeed were some technical improvements, to anaconda and kickstart, that circumvented the issues people had back then. That is what I was looking for --- the technical upgrades that made changing the default a viable proposal. I'll read up on those in more detail. > I think it was mostly testing and scratch boxes that needed root > logins (specific use cases), making sure that there is some other > account that is allowed to login after installation (installation > problems). But I think I did not manage to read that thread this year > again. I just re-read the discussion on the devel list from 2014. And yes, the main complaint was that some people were deploying headless VM/test systems where they didn't want to create a non-root user. Changing the default would break a bunch of their existing kickstart scripts... Another scenario that was mentioned by someone was that if /home were network-mounted, and the network would fail, it would leave the system inaccessible via ssh. > 5 years ago, there were no simple workarounds for the installation. > Even this year, the agreement was not really smooth and updating > installer was one of the requirements for the change to be approved: > > https://pagure.io/fesco/issue/2133 I see, so it was an uphill battle even this time around. But this time it was finally won! Congratulations! :-) > This change request is in Fedora actually for more than 15 years: > > https://bugzilla.redhat.com/show_bug.cgi?id=89216 > > Back in that time, this was not default even in upstream and many > people were using root accounts. Oh, wow, unbelievable, reported on 2003-04-21 !!! So this issue is even older than Fedora itself --- from the days of Red Hat 9 (Shrike) all the way to Fedora 31... I thought this was first raised in 2015, had no idea it is as old as 2003... > I think that over the years, the security practices shifted to better > solutions, people learned to use normal users, sudo and ssh keys, > which allowed us to do this finally. Originally the change would be a > surprise for users, but recently, people were surprised by the root > login allowed in Fedora, which also started to be dangerous. So essentially it was a psychological thing --- it took all this time just to change people's minds about this, re-educate them, and wait until they change their practices of remotely logging in as root. With a couple of technical modifications to anaconda and kickstart. This is the info I was looking for, thanks a lot! :-) But I'm still amazed... A security bug/rfe from 2003, closed in 2019... Just wow... Thanks, :-) Marko _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
