Intention to dropping the the "Allow SSH root login with password" option from the installer GUI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!
At the moment the Anaconda installer used by Fedora contains an option
called "Allow SSH root login with password" on the root password
configuration screen.

This is how it looks like at the moment, on latest Fedora Rawhide
installer image:

https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png

For some backstory - in 2015 the OpenSSH upstream decided to disable
password based root logins by default. This was done for security
reasons as an attacker needs to only guess password to gain access to
the root account. For a user account the attacker needs to guess both
the username and password and the user account not even have admin
privileges, making the remote password guessing attack both harder and
less useful.

The Fedora OpenSSH package carried downstream patches to revert this
upstream change up until summer 2019 when it was decided to restore the
upstream behavior and drop the downstream patches as enough tools that
required password based SSH login have been migrated to use either key
authentication or user based login methods.

Now back to the "Allow SSH root login with password" checkbox in
the installer GUI. :)

The option was added in 2019 when Fedora disabled password based root
SSH login by default, as a temporary migration aid for users of the
graphical installer. 

Note that the checkbox is not ticked by default, the user needs to make
a conscious choice to allow this security problematic SSH login
behavior.

Now fast forward to today, it's 2021, any use cases that needed
password based root login via SSH had 2 more years to migrate while the
amount of password guessing attacks certainly didn't get any lower.

For that reason we in the Anaconda development team feel like it's a
good time to finally drop the "Allow SSH root login with password" from
the Anaconda GUI.

If you are aware of some critical Fedora/Fedora spin usecase that
depends on users regularly ticking this option, please let us know! 

If no such critical usecase is found, we will proceed with removing the
option from the Anaconda GUI in a ~week from now in Rawhide.

Best Wishes
Martin Kolman & the Anaconda team
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux