Re: Fedora 31 System-Wide Change proposal: Disable Root Password Login in SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, May 19, 2019 at 12:14 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> On 5/19/19 8:48 AM, Christopher wrote:
> > On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> >>
> >> On 5/17/19 5:23 AM, Stephen Gallagher wrote:
> >>
> >> ...snip...
> >>
> >>> 3) Force Anaconda to require the creation of a non-root user that is a
> >>> member of the `wheel` group, so that this user can be used to SSH in
> >>> and administer the system. Essentially, remove the root user creation
> >>> spoke as an option from the interactive install.
> >>
> >> So, this is basically the old cloud-init makes a user that can sudo to
> >> root thing. Can anyone explain in small words how this is more secure?
> >>
> >
> > If you've ever examined your audit logs for failed authentications,
> > you'll notice the difference is substantial. The root user is under
> > non-stop attack over ssh, by countless bots and malicious users. Other
> > users are not so frequently targeted. The attack surface is
> > dramatically reduced when disabling access for the the root user over
> > ssh, and replacing that with a different user. This is not perfect
> > security, but it reduces the attack surface that can be automatically
> > targeted by automated attack tools.
>
> I guess this is not the old cloud-init thing, since the proposed action
> here leaves the non-root user with a password. In cloud-init land,
> there's no passwords, the non-root user has a key. In that case I cannot
> see any difference between root having a key and the non-root user
> having a key and being able to sudo to root.

In cloud-init land, the user can set a password by using their "sudo"
privileges, and can set it for the "root" user and for the "ec2puser"
or other cloud user. I don't think that Fedora should try to outsmart
all the different use cased cases for cloud deployment by selecting
sshd_config.

> One objection to this proposal last time this came up was that the
> device was going to join a ipa domain or the like, and a local non-root
> user was not desired. I suppose in that case they could delete the user
> after the initial setup.

Yup, along with /etc/ssh/ssh_config, /etc/ssh/ssshd_config, and
$HOME/.ssh/config, and the way cloud-init blocks direct root SSH
logins, by manipulationg $HOME/.ssh/authorized_keys. There are too
many options to try and outsmart them via sshd_config policy.

> Sure, and it can also not make one and leave root, but in practice I
> don't know too many people that do this. If you looked for 'fedora',
> 'centos' and 'rhel' and 'ubuntu' you would get most of them.
>
> As noted, the cloud-init case has no passwords, only keys.

You forgot "ec2puser".

> If I am using ssh keys, I don't care about people trying to brute force
> passwords. Forcing the root account closed and having to use a 'user'
> account to login and sudo just seems like a pointless hoop.

It provides tracking of which user's credentials have been abused.

> root account with key -> login as root with key
> user account with key / root locked -> login as user, sudo
>
> Thats another shell running, another sudo process, etc.

Yes, and for precisely the reasons above.

> Anyhow, thats not this case, so I should move along.
>
> At this point I think I am ok with the change, but I would really like
> to hear from some folks that didn't like it the last time it was
> proposed to see if we missed any cases.
>
> kevin

That seems a very thoughtful suggestion.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux