Re: SSH after upgrade

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 07 Oct 2019 15:25:28 +0200
Jakub Jelen <jjelen@xxxxxxxxxx> wrote:
> On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote:
> > On Mon, 07 Oct 2019 10:38:32 +0200
> > Can you please elaborate what were the "many practical reasons" that
> > prevented this from being changed for the last 5 years? And why are
> > they not equally practical now?
> 
> Mostly the unwillingness of people who were used to use root accounts
> in Fedora and not enough alternatives how to override or set up
> alternative during installation.
> 
> The initial change was half-baked proposed 5 years ago:
> 
> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

Yes, that's what I remember being proposed, and eventually rejected.
There were long discussions of this on various mailing lists. I mostly
remember this one:

 https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html

but there were others as well...
 
> but never accepted by FeSCO (note sure if it was even proposed) and
> started long discussions on mailing lists as linked from there.
> 
> Since then, we did not change the value to "no", but we disabled only
> the password logins, we added a simple way how to override this in
> anaconda installer and there are simple ways how to override it in
> kickstarts or add a public ssh keys to authorized_keys files.

I see, so there indeed were some technical improvements, to anaconda and
kickstart, that circumvented the issues people had back then. That is
what I was looking for --- the technical upgrades that made changing
the default a viable proposal. I'll read up on those in more detail.
 
> I think it was mostly testing and scratch boxes that needed root
> logins (specific use cases), making sure that there is some other
> account that is allowed to login after installation (installation
> problems). But I think I did not manage to read that thread this year
> again.

I just re-read the discussion on the devel list from 2014. And yes, the
main complaint was that some people were deploying headless VM/test
systems where they didn't want to create a non-root user. Changing the
default would break a bunch of their existing kickstart scripts...
Another scenario that was mentioned by someone was that if /home were
network-mounted, and the network would fail, it would leave the system
inaccessible via ssh.

> 5 years ago, there were no simple workarounds for the installation.
> Even this year, the agreement was not really smooth and updating
> installer was one of the requirements for the change to be approved:
> 
> https://pagure.io/fesco/issue/2133

I see, so it was an uphill battle even this time around. But this
time it was finally won! Congratulations! :-)

> This change request is in Fedora actually for more than 15 years:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=89216
> 
> Back in that time, this was not default even in upstream and many
> people were using root accounts.

Oh, wow, unbelievable, reported on 2003-04-21 !!! So this issue is even
older than Fedora itself --- from the days of Red Hat 9 (Shrike) all
the way to Fedora 31... I thought this was first raised in 2015, had no
idea it is as old as 2003...

> I think that over the years, the security practices shifted to better
> solutions, people learned to use normal users, sudo and ssh keys,
> which allowed us to do this finally. Originally the change would be a
> surprise for users, but recently, people were surprised by the root
> login allowed in Fedora, which also started to be dangerous.

So essentially it was a psychological thing --- it took all this time
just to change people's minds about this, re-educate them, and wait
until they change their practices of remotely logging in as root. With a
couple of technical modifications to anaconda and kickstart.

This is the info I was looking for, thanks a lot! :-)

But I'm still amazed... A security bug/rfe from 2003, closed in 2019...
Just wow...

Thanks, :-)
Marko


_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux