On Thu, 2021-04-29 at 22:09 +0200, Martin Kolman wrote: > Hi! > At the moment the Anaconda installer used by Fedora contains an option > called "Allow SSH root login with password" on the root password > configuration screen. > > This is how it looks like at the moment, on latest Fedora Rawhide > installer image: > > https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png > > For some backstory - in 2015 the OpenSSH upstream decided to disable > password based root logins by default. This was done for security > reasons as an attacker needs to only guess password to gain access to > the root account. For a user account the attacker needs to guess both > the username and password and the user account not even have admin > privileges, making the remote password guessing attack both harder and > less useful. > > The Fedora OpenSSH package carried downstream patches to revert this > upstream change up until summer 2019 when it was decided to restore the > upstream behavior and drop the downstream patches as enough tools that > required password based SSH login have been migrated to use either key > authentication or user based login methods. > > Now back to the "Allow SSH root login with password" checkbox in > the installer GUI. :) > > The option was added in 2019 when Fedora disabled password based root > SSH login by default, as a temporary migration aid for users of the > graphical installer. > > Note that the checkbox is not ticked by default, the user needs to make > a conscious choice to allow this security problematic SSH login > behavior. > > Now fast forward to today, it's 2021, any use cases that needed > password based root login via SSH had 2 more years to migrate while the > amount of password guessing attacks certainly didn't get any lower. > > For that reason we in the Anaconda development team feel like it's a > good time to finally drop the "Allow SSH root login with password" from > the Anaconda GUI. > > If you are aware of some critical Fedora/Fedora spin usecase that > depends on users regularly ticking this option, please let us know! > > If no such critical usecase is found, we will proceed with removing the > option from the Anaconda GUI in a ~week from now in Rawhide. Hi, BTW while I want or like this feature when we are in a devel lab without internet . I think the approach was not the best (1) , because after enable root login with password , it is not easy disable it again. IMHO this feature should not create a new config file (CONFIG_PATH = "etc/sysconfig/sshd-permitrootlogin" ) but use the default one /etc/sysconfig/sshd (1) https://github.com/rhinstaller/anaconda/pull/2042/files > Best Wishes > Martin Kolman & the Anaconda team > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Sérgio M. B. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
