https://fedoraproject.org/wiki/Changes/Drop_Rootpw_SSH_From_Installer
== Summary == Since 2019 the Anaconda installer GUI hosted an option called "Allow SSH root login with password", that made it possible to enable password based root logins over SSH on the installed system. This was always meant as a temporary option to help users transition to either using key authentication or normal users with admin privileges. And after two years of transition period it is now time to drop the option from the GUI. == Owner == * Name: [[User:M4rtink| Martin Kolman]] == Detailed Description == At the moment the Anaconda installer used by Fedora contains an option called "Allow SSH root login with password" on the root password configuration screen. This is how it looks like at the moment, on latest Fedora Rawhide installer image: https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png For some backstory - in 2015 the OpenSSH upstream decided to disable password based root logins by default. This was done for security reasons as an attacker needs to only guess password to gain access to the root account. For a user account the attacker needs to guess both the username and password and the user account not even have admin privileges, making the remote password guessing attack both harder and less useful. The Fedora OpenSSH package carried downstream patches to revert this upstream change up until summer 2019 when it was decided to restore the upstream behavior and drop the downstream patches as enough tools that required password based SSH login have been migrated to use either key authentication or user based login methods. Now back to the "Allow SSH root login with password" checkbox in the installer GUI. :) The option was added in 2019 when Fedora disabled password based root SSH login by default, as a temporary migration aid for users of the graphical installer. Note that the checkbox is not ticked by default, the user needs to make a conscious choice to allow this security problematic SSH login behavior. Now fast forward to today, it's 2021, any use cases that needed password based root login via SSH had 2 more years to migrate while the amount of password guessing attacks certainly didn't get any lower. For that reason we in the Anaconda development team feel like it's a good time to finally drop the "Allow SSH root login with password" from the Anaconda GUI. == Feedback == * it has been suggested to keep the "Allow SSH root login with password" available per Fedora variant (eq. for Fedora Server, etc.) - this is doable at the cost of some code complexity and we can consider doing that if there is enough demand & confirmation the given SiG is OK with it * it has been suggested that making it easier to import SSH keys from popular code hosting platforms (Pagure, GitHub, GitLab, etc.) could provide a nice alternative to the dropped option - this seems like a nice idea, but it's unclear if any Anaconda team members will have time to work on this before F35 release; on the other hand, (good) patches welcome! :) == Benefit to Fedora == This change makes the Fedora systems installed by Anaconda more secure from remote password guessing attacks targeting the root account as it would no longer be possible to configure a system that allows root to login via SSH with password. A smaller benefit is making the root password configuration screen less confusing by removing the "Allow SSH root login with password" & Anaconda code cleanup related removing code related to setting up the override in sshd. == Scope == * Proposal owners: Remove the "Allow SSH root login with password" and any related backend code that configures the sshd override. * Other developers: * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == == How To Test == Boot a Fedora netinst image, enter the root password configuration screen. Check that "Allow SSH root login with password" option is not present. == User Experience == The users will no longer be able to use the unsecure "Allow SSH root login with password" option on the root password configuration screen of the installer and the root password configuration screen will be a bit cleaner. == Dependencies == == Contingency Plan == Revert the commit that removes the "Allow SSH root login with password" option and do a new Anaconda build. * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A == Documentation == Original change that resulted in the "Allow SSH root login with password" to be added: https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd A workaround for kickstart users that still need to enable password based root login over SSH for some reason: https://anaconda-installer.readthedocs.io/en/latest/common-bugs.html#enabling-root-password-ssh-login-via-password == Release Notes == * The "Allow SSH root login with password" option has been removed from the installer GUI, making it no longer possible to configure the installed system to allow root to login with password over SSH. If you need to login remotely with super user privileges please use key based authentication or normal user with admin rights instead. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
