On Thu, 2015-01-08 at 08:43 -0500, Stephen Gallagher wrote:
> In the Server case, nearly every deployment is headless. Disabling root
> login to ssh by default would mean that many people would have no way to
> get into the system at all. (Yes, we could force the creation of a
> non-root user at install time, but this user would by necessity be an
> administrator capable of becoming root via sudo, so the distinction
> is... fuzzy).
It might be fuzzy but I don't think it's meaningless. Consider ssh's
X11 forwarding. Prior to CVE-2013-19{81,97} libX11 had bugs where it
would trust the server's replies to be correctly formatted, which meant
the _server_ could exploit the _client_. Since in X the server is the
display, this means if I can commandeer the user session then I can
exploit the machine being ssh'd _to_.
Cisco routers don't log you in directly to enable mode, even if there's
no password. OSX runs your session as a user even though it gives you
sudo by default. What's so different about Fedora Server that we should
ignore common best practice?
> The only other approach I could see for the headless
> servers would be mandating the enrollment in an identity domain at
> installation time (such as to FreeIPA or Active Directory).
And in this scenario we should absolutely disable PermitRootLogin.
- ajax
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
