On Thu, 2019-05-23 at 12:13 -0500, Dennis Gilmore wrote: > On Fri, May 17, 2019 at 7:24 AM Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > > On Thu, May 16, 2019 at 2:54 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > > https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd > > > > > > == Summary == > > > The upstream OpenSSH disabled password logins for root back in 2015. > > > The Fedora should follow to keep security expectation and avoid users > > > surprises with this configuration. > > > > > > == Owner == > > > * Name: [[User:jjelen| Jakub Jelen]], OpenSSH maintainer > > > * Email: jjelen@xxxxxxxxxx > > > > > > == Detailed Description == > > > > > > The OpenSSH server configuration contains a configuration option > > > `PermitRootLogin`, which controls whether the root user is allowed to > > > login using passwords or using public key authentication. The root > > > login is target of most of the random or targeted attack on Linux > > > systems and password is usually the weakest part. For that reason, the > > > upstream OpenSSH changed this option in 2015 to `prohibit-password`, > > > which still allows public-key authentication, but prevents the > > > password logins. Fedora was for many practical reasons keeping the old > > > configuration since then, but the difference is no longer bearable and > > > might confuse users expecting the root logins will not be enabled out > > > of the box. > > > > > > On the other hand, there is still a lot of infrastructure, installers > > > and test instances that simply might depend on this configuration and > > > therefore this change needs to go through the system-wide change so > > > everyone is onboard. > > > > > > == Benefit to Fedora == > > > > > > This will provide more secure Fedora installations out of the box and > > > prevent inadvertently accessible root logins in the wild. > > > > > > > I'm not particularly *opposed* to this change in behavior, but in the > > Fedora Server case, SSH is the primary mechanism for gaining access to > > the system. If we disallow password logins for root, then many > > installs will be inaccessible and users will get... grumpy. > > I usually ssh in and enroll my machines to my ipa server, I am not > sure how we can do that in the arm cases where we use pre-generated > images. I know I can use cockpit, however, the socket is generally > disabled, and them seems to randomly get disabled post install. Cockpit is supposed to be accessible and working out of the box in all Server installs, it's in the release criteria. If you're hitting a case where that isn't working, please do file a bug and mark it as a release blocker... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx