-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 08 Jan 2015 08:43:48 -0500 Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > > > > On Thu, 2015-01-08 at 13:42 +0100, Jaroslav Reznik wrote: > > = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no = > > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no > > > > Change owner(s): P J P <pjp@xxxxxxxxxxxxxxxxx> and Fedora Security > > Team > > > > To disable remote root login facility in sshd(8) by default. > > > > == Detailed Description == > > Sshd(8) daemon allows remote users to login as 'root' by default. > > This provides remote attackers an option to brute force their way > > into a system. Empirically it is observed that many users use their > > systems via 'root' login, without creating non-root user and often > > have weak passwords for this mighty account. sshd_config(5) has an > > option 'PermitRootLogin=yes|no' which controls sshd(8) behaviour; > > it is set to be 'Yes' by default. Disabling remote root login by > > setting PermitRootLogin=no would help to harden Fedora systems, > > moving it an inch closer towards 'secure by default' future. Users > > can have non-root accounts with weak passwords too, yet disabling > > remote root login keeps an attacker a step away from getting full > > control on a system. There is another option of disabling user > > login via password and require usage of cryptographic keys for the > > same. But that could a next step in future. > > > > Please see -> > > https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html > > > > == Scope == > > * Proposal owners: to communicate with the Fedora maintainers of > > packages: Anaconda, OpenSSH, GNOME, etc. > > * Other developers: packages like Anaconda, GNOME etc. need to > > update their workflow to enable compulsory non-root user account > > creation and ensure good password strength for it. > > * Release engineering: installer needs to ensure creation of > > non-root user account with strong password. Similarly, all Fedora > > images must be created with a non-root user account. > > * Policies and guidelines: unknown yet. > > > Can we clarify something here? Is this a request to change the > defaults globally for all Products/nonproduct installs? > > I would argue that it could be sensible to do this for Workstation and > non-product installs, but not for Server and Cloud. I actually disagree here. I for one do non-product installs on both server and desktop environments. I set a root password at install time and post install join the machine to my ipa domain to get user accounts sorted. I often need to setup dns entries post install for joining the domain to work. while the desktop machines I can log in directly as root, the servers are generally virtual machines that are headless. > In the Server case, nearly every deployment is headless. Disabling > root login to ssh by default would mean that many people would have > no way to get into the system at all. (Yes, we could force the > creation of a non-root user at install time, but this user would by > necessity be an administrator capable of becoming root via sudo, so > the distinction is... fuzzy). The only other approach I could see for > the headless servers would be mandating the enrollment in an identity > domain at installation time (such as to FreeIPA or Active Directory). that is not always possible > Neither of those approaches is anything like ideal, so I would argue > that Server should continue to operate with the SSH root login being > available by default, but perhaps add documentation to the install > guide recommending to disable it if other accounts are available; > perhaps even by adding a simple kickstart directive (but no UI > element) to accomplish this. there likely needs to be options in kickstart and the installer for enabling the different types of options people could want > We can also consider opening an RFE against realmd, so that if the > machine becomes enrolled in a domain, it disables the remote root > login by default. I'm not sure about that, however. > > > In the case of Cloud, I think the point is basically moot, since > cloud-init should be handling all the relevant setup for this in any > case. > > > tl;dr: > Let's make this change happen with a per-product config default, with > Workstation and Non-product setups disabling root SSH login by > default. Server should leave SSH login enabled (arguably conditional > on whether or not the user enrolls in a domain). lets make this something configurable at install time Dennis -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUrxMOAAoJEH7ltONmPFDRESsQAKLnVk0FfStm/Zr9arNnatCP OwFwfOhgWP8KwHxEE9ZN+RKnjv2HY6dE5CC3bsaJob2aSkyQXxxHgH+LO3KowEqf BO1YM0gjiVYINoNi3Kl4juHy3otvO9x5sw6p9yPv//yIHy0e6gkq9mfAdx+2MFoK An5ysrj+9t4fj1ojUk7Q5+lKnd7Gl5B2veEr8XgDaTlSvgOoTEa7FCfyP6klSJk7 3SYwzYredY9fcNa/cZg8wRiuKIovg+SpXVFqR1aG7Fgu3VAgo4pShSRV/Yt3GdLh lOJYd7l/u5fGEtZt2D3+sVRfHZcilD8WtplcUnzvsOEbecKpSZnEBa7+tlWLE/2/ FwFvSf3vx3jeWXqSTkNTM0qFfenj/JGoO1XtXmPrgFDjwZebHUU/yDGXe6XdbyiU 8gx08F85JbwDH09AE0MItVsEl4Gm1cMUIDLa4vrkpH234C444zumM2dIDJTx0Vt+ essJTQl4hu1bhEPWFdPwDRUmTJILBFwLRlvxohPLA/wBBG5Wsn6Ue6sKbV9PoBoP znJQh7eEm5Jh7ddizC2xk4EMTD1wNnELBfbPEBoH/5JPXUwtAHTZOW1KilvR0R90 94Go6PIPA4GlewbRy1KLSPYR8ThK9+lVLsQgH3VQQJ39QMEZpMMmhfR8Nsl6k4sg Eci/9pKxw+OHPPBp83ey =MeRb -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
