Fedora 31 System-Wide Change proposal: Disable Root Password Login in SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd

== Summary ==
The upstream OpenSSH disabled password logins for root back in 2015.
The Fedora should follow to keep security expectation and avoid users
surprises with this configuration.

== Owner ==
* Name: [[User:jjelen| Jakub Jelen]], OpenSSH maintainer
* Email: jjelen@xxxxxxxxxx

== Detailed Description ==

The OpenSSH server configuration contains a configuration option
`PermitRootLogin`, which controls whether the root user is allowed to
login using passwords or using public key authentication. The root
login is target of most of the random or targeted attack on Linux
systems and password is usually the weakest part. For that reason, the
upstream OpenSSH changed this option in 2015 to `prohibit-password`,
which still allows public-key authentication, but prevents the
password logins. Fedora was for many practical reasons keeping the old
configuration since then, but the difference is no longer bearable and
might confuse users expecting the root logins will not be enabled out
of the box.

On the other hand, there is still a lot of infrastructure, installers
and test instances that simply might depend on this configuration and
therefore this change needs to go through the system-wide change so
everyone is onboard.

== Benefit to Fedora ==

This will provide more secure Fedora installations out of the box and
prevent inadvertently accessible root logins in the wild.

== Scope ==
* Proposal owners: Modify the default shipped sshd configuration in
`sshd_config` to no longer include the `PermitRootLogin yes` option
and advertise this change throughout Fedora.
* Other developers: Make sure their workflow does not include logging
in as a root to ssh, otherwise modify that workflow
* Release engineering: [https://pagure.io/releng/issues/8342]

* Policies and guidelines: none
* Trademark approval: none

== Upgrade/compatibility impact ==
The updates of previously-modified `sshd_config` will not be affected
and create a `.rpmnew` configuration file.

The updates of default `sshd_config` will be updated and the
modification needs to be listed in release notes to prevent surprises.

== How To Test ==

* Make sure you have root user with password and you can login to this
user using `su`
* Make sure the sshd_config does not contain `PermitRootLogin yes` option
* Restart sshd service: `systemctl restart sshd`
* Try to connect to root user: `ssh
-oPreferredAuthentications=password root@localhost`
* Should fail

Other authentication methods (publickey, gssapi should not be affected)

== User Experience ==
Nothing in production should really depend on root password logins in
2019. If it does, it is the time to change that (or explicitly allow
it on the affected systems).

== Dependencies ==
Installer and kickstarts depending on this functionality.

== Contingency Plan ==

* Contingency mechanism: (What to do?  Who will do it?) Maintainer
will revert the change to sshd_config if needed.
* Contingency deadline: Beta freeze
* Blocks release? no
* Blocks product? no

== Documentation ==
OpenSSH in Fedora 31 does not allow root logins using passwords by default.

Upstream release notes: http://www.openssh.com/txt/release-7.0

== Release Notes ==
OpenSSH in Fedora 31 does not allow root logins using passwords by default.

-- 
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux