Hi! At the moment the Anaconda installer used by Fedora contains an option called "Allow SSH root login with password" on the root password configuration screen. This is how it looks like at the moment, on latest Fedora Rawhide installer image: https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png For some backstory - in 2015 the OpenSSH upstream decided to disable password based root logins by default. This was done for security reasons as an attacker needs to only guess password to gain access to the root account. For a user account the attacker needs to guess both the username and password and the user account not even have admin privileges, making the remote password guessing attack both harder and less useful. The Fedora OpenSSH package carried downstream patches to revert this upstream change up until summer 2019 when it was decided to restore the upstream behavior and drop the downstream patches as enough tools that required password based SSH login have been migrated to use either key authentication or user based login methods. Now back to the "Allow SSH root login with password" checkbox in the installer GUI. :) The option was added in 2019 when Fedora disabled password based root SSH login by default, as a temporary migration aid for users of the graphical installer. Note that the checkbox is not ticked by default, the user needs to make a conscious choice to allow this security problematic SSH login behavior. Now fast forward to today, it's 2021, any use cases that needed password based root login via SSH had 2 more years to migrate while the amount of password guessing attacks certainly didn't get any lower. For that reason we in the Anaconda development team feel like it's a good time to finally drop the "Allow SSH root login with password" from the Anaconda GUI. If you are aware of some critical Fedora/Fedora spin usecase that depends on users regularly ticking this option, please let us know! If no such critical usecase is found, we will proceed with removing the option from the Anaconda GUI in a ~week from now in Rawhide. Best Wishes Martin Kolman & the Anaconda team _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
