m (Add trackers) |
(Updated the actual requirement from anaconda installer) |
||
Line 43: | Line 43: | ||
* Proposal owners: Modify the default shipped sshd configuration in `sshd_config` to no longer include the `PermitRootLogin yes` option and advertise this change throughout Fedora. | * Proposal owners: Modify the default shipped sshd configuration in `sshd_config` to no longer include the `PermitRootLogin yes` option and advertise this change throughout Fedora. | ||
* Other developers: Make sure their workflow does not include logging in as a root to ssh, otherwise modify that workflow | * Other developers: Make sure their workflow does not include logging in as a root to ssh, otherwise modify that workflow | ||
** Anaconda installer | ** Anaconda installer proposed modifications | ||
*** The kickstarts already support installing ssh authorized keys for root or other users | |||
*** (must) The graphical installer will be modified to allow enabling the PermitRootLogin sshd option when desirable: https://bugzilla.redhat.com/show_bug.cgi?id=1716282 | |||
*** (optional) Graphical installer will have a way to pull authorized_keys from github/other http server: https://bugzilla.redhat.com/show_bug.cgi?id=1716551 | |||
* Release engineering: [https://pagure.io/releng/issues/8342] | * Release engineering: [https://pagure.io/releng/issues/8342] | ||
** [[Fedora_Program_Management/ReleaseBlocking/Fedora31|List of deliverables]]: N/A (there is no such list) | ** [[Fedora_Program_Management/ReleaseBlocking/Fedora31|List of deliverables]]: N/A (there is no such list) |
Revision as of 07:45, 24 June 2019
Disable Root Password Login in SSH
Summary
The upstream OpenSSH disabled password logins for root back in 2015. The Fedora should follow to keep security expectation and avoid users surprises with this configuration.
Owner
- Name: Jakub Jelen, OpenSSH maintainer
- Email: jjelen@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 31
- Last updated: 2019-06-24
- Tracker bug: #1722828
- Release notes tracker: #351
Detailed Description
The OpenSSH server configuration contains a configuration option PermitRootLogin
, which controls whether the root user is allowed to login using passwords or using public key authentication. The root login is target of most of the random or targeted attack on Linux systems and password is usually the weakest part. For that reason, the upstream OpenSSH changed this option in 2015 to prohibit-password
, which still allows public-key authentication, but prevents the password logins. Fedora was for many practical reasons keeping the old configuration since then, but the difference is no longer bearable and might confuse users expecting the root logins will not be enabled out of the box.
On the other hand, there is still a lot of infrastructure, installers and test instances that simply might depend on this configuration and therefore this change needs to go through the system-wide change so everyone is onboard.
Benefit to Fedora
This will provide more secure Fedora installations out of the box and prevent inadvertently accessible root logins in the wild.
Scope
- Proposal owners: Modify the default shipped sshd configuration in
sshd_config
to no longer include thePermitRootLogin yes
option and advertise this change throughout Fedora. - Other developers: Make sure their workflow does not include logging in as a root to ssh, otherwise modify that workflow
- Anaconda installer proposed modifications
- The kickstarts already support installing ssh authorized keys for root or other users
- (must) The graphical installer will be modified to allow enabling the PermitRootLogin sshd option when desirable: https://bugzilla.redhat.com/show_bug.cgi?id=1716282
- (optional) Graphical installer will have a way to pull authorized_keys from github/other http server: https://bugzilla.redhat.com/show_bug.cgi?id=1716551
- Anaconda installer proposed modifications
- Release engineering: [1]
- List of deliverables: N/A (there is no such list)
- Policies and guidelines: none
- Trademark approval: none
Upgrade/compatibility impact
The updates of previously-modified sshd_config
will not be affected and create a .rpmnew
configuration file.
The updates of default sshd_config
will be updated and the modification needs to be listed in release notes to prevent surprises.
If your kickstarts
or cloud-init
scripts required password root logins, you should consider moving to public key authentication (by storing your public key in the initialized system) or creating a different administrative users
How To Test
- Make sure you have root user with password and you can login to this user using
su
- Make sure the sshd_config does not contain
PermitRootLogin yes
option - Restart sshd service:
systemctl restart sshd
- Try to connect to root user:
ssh -oPreferredAuthentications=password root@localhost
- Should fail
Other authentication methods (publickey, gssapi should not be affected)
User Experience
Nothing in production should really depend on root password logins in 2019. If it does, it is the time to change that (or explicitly allow it on the affected systems).
Dependencies
Installer and kickstarts depending on this functionality.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) Maintainer will revert the change to sshd_config if needed.
- Contingency deadline: Beta freeze
- Blocks release? no
- Blocks product? no
Documentation
OpenSSH in Fedora 31 does not allow root logins using passwords by default.
Upstream release notes: http://www.openssh.com/txt/release-7.0
Release Notes
OpenSSH in Fedora 31 does not allow root logins using passwords by default.