----- Original Message ----- > > = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no = > > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no > In the Server case, nearly every deployment is headless. Disabling root > login to ssh by default would mean that many people would have no way to > get into the system at all. (Yes, we could force the creation of a > non-root user at install time, but this user would by necessity be an > administrator capable of becoming root via sudo, so the distinction > is... fuzzy). No, there is an important conceptual distinction between logging in as a “hard-coded technical account named root“ and logging in as a real person (or a bacula/ansible service account, even if ultimately root-privileged through some mechanism), as soon as more than one person has administrative access: attribution and accountability. OTOH, the security distinction between brute-forcing (constant “root”+password) or (username+password) is trivial enough that I don’t think the change as proposed makes sense. > The only other approach I could see for the headless > servers would be mandating the enrollment in an identity domain at > installation time (such as to FreeIPA or Active Directory). > > Neither of those approaches is anything like ideal, I think we should eventually end up forcing _all_ logins (both remote and local) to actually identify a security principal (i.e. have a local user set up or a domain membership as a required step during installation). You are right that at this moment this would not go smoothly; we should make it smooth enough first, and then just remove the root password altogether to force going through a real account first. (https://lists.fedoraproject.org/pipermail/security/2014-December/002039.html ) > We can also consider opening an RFE against realmd, so that if the > machine becomes enrolled in a domain, it disables the remote root login > by default. I'm not sure about that, however. That seems like a fairly confusing combination of a mechanism (realmd as a tool “for joining domains”) and distribution policy (Fedora prevents/recommends not to use logins directly as root). Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
