Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Hello, > On Monday, 12 January 2015 4:09 PM, Ian Malone wrote: > > On 12 January 2015 at 09:20, Milan Keršláger >> 4) Blocking root access means forcing admins to log as normal user and >> then do su/sudo and providing root password, which is far less secure >> than disable root password authentication and allow login to root with >> SSH key only, because password could be easily stolen (private key is >> never send to the net so is more safe). > > It is only more secure if you assume normal user password ssh is > allowed. It shouldn't be either, it should be ssh key. If you're > allowing password login on any account then you're less secure, even > without discussing sudo. I understand. As said in the other thread, how we restrict remote root access is negotiable. Though IMHO, we are not yet ready for purely keys based authentication and disable password authentication altogether. In fact, disabling remote 'root' access could be the first step in that direction. Ie. if we start using keys for remote 'root' access. >> 6) Because all I wrote above, disabling root login is "Security >> through obscurity" and THIS NOT IMPROVE SECURITY! See >> https://cs.wikipedia.org/wiki/Security_through_obscurity and 5) above > > It's not really. Security through obscurity is design or > implementation (as outlined in the English version of that wikipedia > page). What this is is somewhere between security in layers and > security in extended keys. User account names can be discovered and > don't add many bytes compared to a secret key, on the other hand it > should be easy to spot brute force attempts on user name. And not > every user account on a system has sudo access, of course you can try > local exploits once you have a shell, but that is still better than > hanging direct root out as a big target to attack. Layers. Yes, nice term, security through layers. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 12 January 2015 at 09:20, Milan Keršláger wrote: >> Hello, >> > 4) Blocking root access means forcing admins to log as normal user and > then do su/sudo and providing root password, which is far less secure > than disable root password authentication and allow login to root with > SSH key only, because password could be easily stolen (private key is > never send to the net so is more safe). It is only more secure if you assume normal user password ssh is allowed. It shouldn't be either, it should be ssh key. If you're allowing password login on any account then you're less secure, even without discussing sudo. > 5) When a user provides login/password through ssh, the ssh know whats > going on, so there is a padding (with nothing) included in the initial > network communication to prevent spoofing on how the password "sounds > like" (ie sniffing on password typing), but when the user is logged-in, > the ssh has no clue what is going on so no padding could be inserted to > the network communication and this is why there is possibility to attack > (spoof) on password the user provides when doing su/sudo after > succesfull login. See SSH protocol explanation and a lot of very good > articles about this. > 6) Because all I wrote above, disabling root login is "Security through > obscurity" and THIS NOT IMPROVE SECURITY! See > https://cs.wikipedia.org/wiki/Security_through_obscurity and 5) above It's not really. Security through obscurity is design or implementation (as outlined in the English version of that wikipedia page). What this is is somewhere between security in layers and security in extended keys. User account names can be discovered and don't add many bytes compared to a secret key, on the other hand it should be easy to spot brute force attempts on user name. And not every user account on a system has sudo access, of course you can try local exploits once you have a shell, but that is still better than hanging direct root out as a big target to attack. Layers. > > There are possible solutions for this problem: > > A) do not allow any SSH connection (the user should enable SSH on its own) > B) provide good blocking script as of 3) above by default [there are > many out there] > C) do not allow user to set weak root password at all > > As Fedora is focused as desktop, I wonder why SSH is enabled by default. > RHEL/CentOS/SLES/whatever is focused as server and this sounds me > reasonable to allow SSH by default. > In the past I've had to enable SSHD on Fedora, I don't know what the current default is, but I don't think it's on by default. Fedora is also used as a server (indeed there's now a specific 'server' version and the 'desktop' product seems a bit niche). I've stayed out of this discussion since, while I have particular things I always do with sshd configuration, it's about defaults and the points about how the choice of those defaults affect certain installation scenarios are really the important thing. -- imalone http://ibmalone.blogspot.co.uk -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> Hello, > > Sshd(8) daemon by default allows remote users to login as root. > > 1. Is that really necessary? > 2. Lot of users use their systems as root, without even creating a non-root user. > Such practices need to be discouraged, not allowing remote root login could be > useful in that. > > Does it make sense to disable remote root login by default? If so, do > we need to just report it to the maintainer or it would be treated as > a feature? This is generally a very bad idea, because this is NOT SECURE AT ALL. 1) If the problem is brute force attack (BF) against root account, this solution will not prevent BF at all, because BF could be used against other accounts too (it may not so easy, but BF means to try all possible solutions to find the correct one so no change to BF here) 2) You have to fight BF attack in general, which means to use some kind of wrapper to block unsuccesfull logins, but this will raise the security problem, because this wrapper could be vulnerable, ie. may contain some bug which could be security disaster. 3) Previous solution with wrapper could be solved by some kind of script and touching iptables/tcp_wrapper and this will not be security problem, so this is better than 2) 4) Blocking root access means forcing admins to log as normal user and then do su/sudo and providing root password, which is far less secure than disable root password authentication and allow login to root with SSH key only, because password could be easily stolen (private key is never send to the net so is more safe). 5) When a user provides login/password through ssh, the ssh know whats going on, so there is a padding (with nothing) included in the initial network communication to prevent spoofing on how the password "sounds like" (ie sniffing on password typing), but when the user is logged-in, the ssh has no clue what is going on so no padding could be inserted to the network communication and this is why there is possibility to attack (spoof) on password the user provides when doing su/sudo after succesfull login. See SSH protocol explanation and a lot of very good articles about this. 6) Because all I wrote above, disabling root login is "Security through obscurity" and THIS NOT IMPROVE SECURITY! See https://cs.wikipedia.org/wiki/Security_through_obscurity and 5) above There are possible solutions for this problem: A) do not allow any SSH connection (the user should enable SSH on its own) B) provide good blocking script as of 3) above by default [there are many out there] C) do not allow user to set weak root password at all As Fedora is focused as desktop, I wonder why SSH is enabled by default. RHEL/CentOS/SLES/whatever is focused as server and this sounds me reasonable to allow SSH by default. Yes, Debian/Ubuntu etc. disable root login by default but as I wrote, this is not security feature, it only provides false security feeling and by nature it lower security (see above). Don't do the same please only because others do too. Don't think about to make the computer more secure and allow administrator to be stupid on the same time! -- Milan Keršláger http://www.pslib.cz/ke/ http://www.nti.tul.cz/wiki/Milan.Kerslager -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Wednesday, 24 December 2014 11:01 PM, Mike Pinkerton wrote: > Remotely installed on bare metal. I see. Is there a provision that you could edit the kick-start file? Or supply parameters to it?? If so, it could be possible to enable remote root login post install. If not, let's see how we could address that. Which tool is it? --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 24 Dec 2014, at 09:29, P J P wrote: On Wednesday, 24 December 2014 3:07 PM, Andrew Haley wrote: At some loss of usability. To often we hear "This is better for security, therefore we should do it" without considering the usability trade-off. It'll help if you could define this some loss of usability. If it is about remotely installed VM images, it's also discussed here -> https://lists.fedoraproject.org/pipermail/security/2014- December/002061.html Remotely installed on bare metal. -- Mike Pinkerton -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Wednesday, 24 December 2014 3:07 PM, Andrew Haley wrote: > At some loss of usability. To often we hear "This is better for > security, therefore we should do it" without considering the usability > trade-off. It'll help if you could define this some loss of usability. If it is about remotely installed VM images, it's also discussed here -> https://lists.fedoraproject.org/pipermail/security/2014-December/002061.html --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 27/11/14 14:52, Nico Kadel-Garcia wrote: On Thu, Nov 27, 2014 at 8:06 AM, P J P wrote: >> > Overall this feature adds more value to Fedora, than its perceived short >> > term cost. > I agree, from a basic security standpoint, that it's the simplest > change with the largest return on investment. At some loss of usability. To often we hear "This is better for security, therefore we should do it" without considering the usability trade-off. Andrew. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Thu, Nov 27, 2014 at 8:06 AM, P J P wrote: >> On Thursday, 27 November 2014 4:49 PM, Reindl Harald wrote: >> so why not consider disable sshd at all and make a checkbox >> in Anaconda "ssh support yes/no" because after somebody says "yes" >> it's his clearly decision and he is responsible to secure it with key-only >> auth > > Sure these are options, which need to be evaluated against their pros and > cons. > > For the 'Disable remote root login' option, this evaluation has been more > positive than negative. Cases wherein it is negative, is mostly due to the > tweaking that users would have to incorporate in their workflow, ex. > explicitly enable remote root login after creating a new VM. This is easily > doable because these users are fairly experienced ones. Idea is not to punish > them for it, but to depend on their expertise rather than to expect that > unknown users would/should know how to safe guard their systems. > > Overall this feature adds more value to Fedora, than its perceived short term > cost. I agree, from a basic security standpoint, that it's the simplest change with the largest return on investment. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Thursday, 27 November 2014 4:49 PM, Reindl Harald wrote: > so why not consider disable sshd at all and make a checkbox > in Anaconda "ssh support yes/no" because after somebody says "yes" > it's his clearly decision and he is responsible to secure it with key-only > auth Sure these are options, which need to be evaluated against their pros and cons. For the 'Disable remote root login' option, this evaluation has been more positive than negative. Cases wherein it is negative, is mostly due to the tweaking that users would have to incorporate in their workflow, ex. explicitly enable remote root login after creating a new VM. This is easily doable because these users are fairly experienced ones. Idea is not to punish them for it, but to depend on their expertise rather than to expect that unknown users would/should know how to safe guard their systems. Overall this feature adds more value to Fedora, than its perceived short term cost. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Am 27.11.2014 um 12:13 schrieb P J P: Just because it is easy to infer non-root user names does not mean we tell people it is 'root'. Secondly, it might be easy for you to infer such names, not for everyone. The increased difficulty level that is added by not allowing remote root login could help to thwart lot of real & automated attacks.[1] Thirdly, it need not have to be entirely about security, it's also about picking the right default configuration. Same as disabling sshd(8) in Workstation by default. As Scott wrote above so why not consider disable sshd at all and make a checkbox in Anaconda "ssh support yes/no" because after somebody says "yes" it's his clearly decision and he is responsible to secure it with key-only auth i guess the answer will be "because too many options in the installer will harm" which i can't support - to less options IMHO harm forcing the user to look what is setup and how signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Hello Tomas, > On Thursday, 27 November 2014 3:05 PM, Tomas Mraz wrote: >> - Original Message - >> On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit wrote: >> >> Look, this is a basic system configuration. It's not "Cripple Mr. >> Onion". Pick *one* setting, and let people know from that whether >> they'll need to manipulate their local environments for their >> particular subtle needs. >> > > Exactly! The more I think about this Change the more I am having an > opinion that we should reject it altogether. In fact this change does not > really bring any real security improvement because for the Workstation > the sshd is already disabled completely by default and for the other products > the people who are installing them can be expected to know what they are > doing. That's not a prudent expectation. > Also disabling root access does not improve security against targeted attacks > because in such cases the user name can be quite easily inferred. So basically > this feature is just a 'marketing' improvement and not worth the hassle. I disagree. Just because it is easy to infer non-root user names does not mean we tell people it is 'root'. Secondly, it might be easy for you to infer such names, not for everyone. The increased difficulty level that is added by not allowing remote root login could help to thwart lot of real & automated attacks.[1] Thirdly, it need not have to be entirely about security, it's also about picking the right default configuration. Same as disabling sshd(8) in Workstation by default. As Scott wrote above ...Pick *one* setting, and let people know from that... This feature, like any other, requires users to tweak their current practices to suite the new defaults. That is no reason to not do it; Because in the longer run it is only beneficial. [1] https://lists.fedoraproject.org/pipermail/security/2014-November/002031.html --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
- Original Message - > On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit wrote: > > On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote: > >> On Sat, 22 Nov 2014 08:24:32 + (UTC) P J P wrote: > >> > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote: > >> > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: > >> > >> The latter. We have to install authorized_keys inside the VM > >> > >> anyway, so we can touch sshd_config, too. > >> > > > >> > > Virt-builder has a new '--ssh-inject' feature (in F22 only). > >> > > > >> > > $ virt-builder fedora-20 --ssh-inject root > >> > > > >> > > would inject your current ssh key into the root account of the new > >> > > VM. There are other variations, including ways to create a non-root > >> > > user account, see: > >> > > > >> > > http://libguestfs.org/virt-builder.1.html > >> > > >> > Excellent! :) > >> > > >> > So far the consensus seem that it is okay to reverse the current > >> > default and set PermitRootLogin=no. I'll talk to the upstream > >> > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba). > >> > > >> > Thank you. > >> > >> We can install machine w/o user accounts, removing the ability to log > >> in as root via ssh means those machines will not be accessible. > >> > >> If you want to remove root access that should be conditionally done at > >> firstboot only if a user account was created. > > > > It seems to me that we could tweak this somewhat: "only if a user > > account was created OR remote users have been configured" > > And in months that start with the letter "q", but not odd numbed > weekdays, and if I ate a tuna fish sandwich for lunch, but not if I'm > wearing white socks, and only on alternate years with a prime number, > etc, etc., etc. > > Look, this is a basic system configuration. It's not "Cripple Mr. > Onion". Pick *one* setting, and let people know from that whether > they'll need to manipulate their local environments for their > particular subtle needs. > > And for those who don't read Terry Pratchett stories, > http://discworld.wikia.com/wiki/Cripple_Mr_Onion Exactly! The more I think about this Change the more I am having an opinion that we should reject it altogether. In fact this change does not really bring any real security improvement because for the Workstation the sshd is already disabled completely by default and for the other products the people who are installing them can be expected to know what they are doing. Also disabling root access does not improve security against targeted attacks because in such cases the user name can be quite easily inferred. So basically this feature is just a 'marketing' improvement and not worth the hassle. Tomas Mraz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit wrote: > On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote: >> On Sat, 22 Nov 2014 08:24:32 + (UTC) P J P wrote: >> > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote: >> > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: >> > >> The latter. We have to install authorized_keys inside the VM >> > >> anyway, so we can touch sshd_config, too. >> > > >> > > Virt-builder has a new '--ssh-inject' feature (in F22 only). >> > > >> > > $ virt-builder fedora-20 --ssh-inject root >> > > >> > > would inject your current ssh key into the root account of the new >> > > VM. There are other variations, including ways to create a non-root >> > > user account, see: >> > > >> > > http://libguestfs.org/virt-builder.1.html >> > >> > Excellent! :) >> > >> > So far the consensus seem that it is okay to reverse the current >> > default and set PermitRootLogin=no. I'll talk to the upstream >> > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba). >> > >> > Thank you. >> >> We can install machine w/o user accounts, removing the ability to log >> in as root via ssh means those machines will not be accessible. >> >> If you want to remove root access that should be conditionally done at >> firstboot only if a user account was created. > > It seems to me that we could tweak this somewhat: "only if a user > account was created OR remote users have been configured" And in months that start with the letter "q", but not odd numbed weekdays, and if I ate a tuna fish sandwich for lunch, but not if I'm wearing white socks, and only on alternate years with a prime number, etc, etc., etc. Look, this is a basic system configuration. It's not "Cripple Mr. Onion". Pick *one* setting, and let people know from that whether they'll need to manipulate their local environments for their particular subtle needs. And for those who don't read Terry Pratchett stories, http://discworld.wikia.com/wiki/Cripple_Mr_Onion -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote: > On Sat, 22 Nov 2014 08:24:32 + (UTC) P J P wrote: > > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote: > > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: > > >> The latter. We have to install authorized_keys inside the VM > > >> anyway, so we can touch sshd_config, too. > > > > > > Virt-builder has a new '--ssh-inject' feature (in F22 only). > > > > > > $ virt-builder fedora-20 --ssh-inject root > > > > > > would inject your current ssh key into the root account of the new > > > VM. There are other variations, including ways to create a non-root > > > user account, see: > > > > > > http://libguestfs.org/virt-builder.1.html > > > > Excellent! :) > > > > So far the consensus seem that it is okay to reverse the current > > default and set PermitRootLogin=no. I'll talk to the upstream > > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba). > > > > Thank you. > > We can install machine w/o user accounts, removing the ability to log > in as root via ssh means those machines will not be accessible. > > If you want to remove root access that should be conditionally done at > firstboot only if a user account was created. It seems to me that we could tweak this somewhat: "only if a user account was created OR remote users have been configured" -- Scott Schmit smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 25.11.2014 18:25, Simo Sorce wrote: > On Tue, 25 Nov 2014 17:05:59 + (UTC) > P J P wrote: > >> Hi, >> >>> On Tuesday, 25 November 2014 10:00 PM, Gabriel Ramirez wrote: >>> I have a server which only runs several VM's with specific >>> services, no need user accounts in the host or in the VM's, >>> >>> so you propose when I reiinstall any of them create a user account >>> in each of them, that will cause boot the first time change to >>> permit root login and delete the *forced* user account >>> >>> and the server is hosted remotely, so if anything is wrong with it >>> I can only access via ssh so this *feature change* is no simple, >> >> >> True, it is complex. >> >> Maybe we could have an option in firstboot(and other such places) by >> which user can override the default non-root account creation. Ie. >> Say a user is prompted to create non-root user account; He/she can >> choose to override it and not create one. In such workflow, he/she is >> warned about the possible lockout situation and duly advised to >> explicitly enable remote root login in sshd_config(5). >> >> (Just a thought) > > If the user is not created you do not change the sshd_config defaults > and let root log in. > Simple, and does not break current kickstarts. +1 This is a good idea. I maintain a lot of throw-away VMs which are installed automatically and creating yet another local account just to make someone happy would be really annoying. -- Petr^2 Spacek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, Nov 25, 2014 at 10:23 AM, Kevin Fenzi wrote: > On Tue, 25 Nov 2014 09:56:59 -0500 > Simo Sorce wrote: > >> We can install machine w/o user accounts, removing the ability to log >> in as root via ssh means those machines will not be accessible. > > This has been the reason this hasn't been changed the last few times > someone proposed to change it. > > I don't know how many folks do installs with no user config, but it's > definitely possible right now and that could mean they wouldn't be able > to reach their instance. We could of course change that so creating a > new user is forced, but I'm really not sure it's that much advantage. > >> If you want to remove root access that should be conditionally done at >> firstboot only if a user account was created. > > This seems a more reasonable place to look to change this, I agree. > > kevin No user config *and no console access* is where it breaks down. Most people who run real servers use either virtualization, which provides a form of console access, or remote KVM's, or have hands and eyes. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, Nov 25, 2014 at 09:20:35PM +0100, Petr Lautrbach wrote: > There are several use cases when local non-root users are not needed at > all as others already pointed out. Including in some cases where there should both be no root password _and_ no local non-system users. > The change itself is simple however the problem is more complex overall. > Here are some thoughts I have about the change: > - administrators are alerted when they use weak password for root by > anaconda This has long been the case. However, if it explains _why_, I forget, for the same reason that this never works. (Yeah yeah whatever, I just want to install my system now and keep using "godmode" as my root password just like I always have so I don't forget it.) [more snipped] > - default sudoers uses password of an user for authentication, so even > when I have a non-root user in wheel group, I only need one user's > password to become root This is also the case already. -- Matthew Miller Fedora Project Leader -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/21/2014 08:11 AM, P J P wrote: > Hello, > > Sshd(8) daemon by default allows remote users to login as root. > > 1. Is that really necessary? The original bug report [1] was kept opened mainly due to the lack of adding user functionality in anaconda. This is no more true, anaconda has ability to add an user although it's not enforced. [1] https://bugzilla.redhat.com/show_bug.cgi?id=89216 > 2. Lot of users use their systems as root, without even creating a non-root > user. > Such practices need to be discouraged, not allowing remote root login > could be > useful in that. There are several use cases when local non-root users are not needed at all as others already pointed out. The change itself is simple however the problem is more complex overall. Here are some thoughts I have about the change: - administrators are alerted when they use weak password for root by anaconda - Fedora Workstation and Live installations don't enable sshd.service - even if the default was 'PermitRootLogin without-password' you would need to inject an ssh key and when you are able to inject a key, you are able to change the default configuration - I personally use several Fedora systems without non-root users in local network. - default sudoers uses password of an user for authentication, so even when I have a non-root user in wheel group, I only need one user's password to become root - how much users of these enforced users will be 'user' or 'test'? Petr -- Petr Lautrbach signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/25/2014 11:05 AM, P J P wrote: Hi, On Tuesday, 25 November 2014 10:00 PM, Gabriel Ramirez wrote: I have a server which only runs several VM's with specific services, no need user accounts in the host or in the VM's, so you propose when I reiinstall any of them create a user account in each of them, that will cause boot the first time change to permit root login and delete the *forced* user account and the server is hosted remotely, so if anything is wrong with it I can only access via ssh so this *feature change* is no simple, True, it is complex. Maybe we could have an option in firstboot(and other such places) by which user can override the default non-root account creation. Ie. Say a user is prompted to create non-root user account; He/she can choose to override it and not create one. In such workflow, he/she is warned about the possible lockout situation and duly advised to explicitly enable remote root login in sshd_config(5). (Just a thought) --- Regards -Prasad http://feedmug.com thanks, in my multiple re installs, I can live with the following: an user prompt to create a user account and press no or setting an one more option in kickstart to prevent create a user account and change myself the ssh default to permit rootlogin to yes but not with: creating a user account by default logging with that account, change the sshd default to yes logoff logging with root delete the user account -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, 25 Nov 2014 17:05:59 + (UTC) P J P wrote: > Hi, > > > On Tuesday, 25 November 2014 10:00 PM, Gabriel Ramirez wrote: > > I have a server which only runs several VM's with specific > > services, no need user accounts in the host or in the VM's, > > > > so you propose when I reiinstall any of them create a user account > > in each of them, that will cause boot the first time change to > > permit root login and delete the *forced* user account > > > > and the server is hosted remotely, so if anything is wrong with it > > I can only access via ssh so this *feature change* is no simple, > > > True, it is complex. > > Maybe we could have an option in firstboot(and other such places) by > which user can override the default non-root account creation. Ie. > Say a user is prompted to create non-root user account; He/she can > choose to override it and not create one. In such workflow, he/she is > warned about the possible lockout situation and duly advised to > explicitly enable remote root login in sshd_config(5). > > (Just a thought) If the user is not created you do not change the sshd_config defaults and let root log in. Simple, and does not break current kickstarts. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Hi, > On Tuesday, 25 November 2014 10:00 PM, Gabriel Ramirez wrote: > I have a server which only runs several VM's with specific services, no > need user accounts in the host or in the VM's, > > so you propose when I reiinstall any of them create a user account in > each of them, that will cause boot the first time change to permit root > login and delete the *forced* user account > > and the server is hosted remotely, so if anything is wrong with it I can > only access via ssh so this *feature change* is no simple, True, it is complex. Maybe we could have an option in firstboot(and other such places) by which user can override the default non-root account creation. Ie. Say a user is prompted to create non-root user account; He/she can choose to override it and not create one. In such workflow, he/she is warned about the possible lockout situation and duly advised to explicitly enable remote root login in sshd_config(5). (Just a thought) --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/25/2014 09:45 AM, P J P wrote: On Tuesday, 25 November 2014 8:53 PM, Kevin Fenzi wrote: On Tue, 25 Nov 2014 09:56:59 -0500 Simo Sorce wrote: We can install machine w/o user accounts, removing the ability to log in as root via ssh means those machines will not be accessible. This has been the reason this hasn't been changed the last few times someone proposed to change it. I don't know how many folks do installs with no user config, but it's definitely possible right now and that could mean they wouldn't be able to reach their instance. We could of course change that so creating a new user is forced, but I'm really not sure it's that much advantage. If you want to remove root access that should be conditionally done at firstboot only if a user account was created. This seems a more reasonable place to look to change this, I agree. True, this concern has been raised before. We need to ensure that user creates at least one non-root user account; firstboot is just the right place to ensure that. no need to create a user account in *all* installs I have a server which only runs several VM's with specific services, no need user accounts in the host or in the VM's, so you propose when I reiinstall any of them create a user account in each of them, that will cause boot the first time change to permit root login and delete the *forced* user account and the server is hosted remotely, so if anything is wrong with it I can only access via ssh so this *feature change* is no simple, -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Hello Matthew, > On Tuesday, 25 November 2014 9:21 PM, Matthew Miller wrote: > Keep in mind that in cloud, cloud-init does the same thing (instead of > firstboot). Ah I see, cool! --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Tuesday, 25 November 2014 9:07 PM, Simo Sorce wrote: > My machines get joined to an IPA domain as soon as they are finished > installing, I do *not* want a local user, it would be a liability. Well, I think this is more specific case for which remote 'root' login could be enabled by user. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, Nov 25, 2014 at 03:45:08PM +, P J P wrote: > True, this concern has been raised before. We need to ensure that > user creates at least one non-root user account; firstboot is just > the right place to ensure that. Keep in mind that in cloud, cloud-init does the same thing (instead of firstboot). -- Matthew Miller Fedora Project Leader -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Tuesday, 25 November 2014 8:53 PM, Kevin Fenzi wrote: > > On Tue, 25 Nov 2014 09:56:59 -0500 > Simo Sorce wrote: > >> We can install machine w/o user accounts, removing the ability to log >> in as root via ssh means those machines will not be accessible. > > This has been the reason this hasn't been changed the last few times > someone proposed to change it. > > I don't know how many folks do installs with no user config, but it's > definitely possible right now and that could mean they wouldn't be able > to reach their instance. We could of course change that so creating a > new user is forced, but I'm really not sure it's that much advantage. > >> If you want to remove root access that should be conditionally done at >> firstboot only if a user account was created. > > This seems a more reasonable place to look to change this, I agree. True, this concern has been raised before. We need to ensure that user creates at least one non-root user account; firstboot is just the right place to ensure that. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, 25 Nov 2014 08:23:22 -0700 Kevin Fenzi wrote: > On Tue, 25 Nov 2014 09:56:59 -0500 > Simo Sorce wrote: > > > We can install machine w/o user accounts, removing the ability to > > log in as root via ssh means those machines will not be accessible. > > This has been the reason this hasn't been changed the last few times > someone proposed to change it. > > I don't know how many folks do installs with no user config, but it's > definitely possible right now and that could mean they wouldn't be > able to reach their instance. We could of course change that so > creating a new user is forced, but I'm really not sure it's that much > advantage. My machines get joined to an IPA domain as soon as they are finished installing, I do *not* want a local user, it would be a liability. > > If you want to remove root access that should be conditionally done > > at firstboot only if a user account was created. > > This seems a more reasonable place to look to change this, I agree. > > kevin -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Tue, 25 Nov 2014 09:56:59 -0500 Simo Sorce wrote: > We can install machine w/o user accounts, removing the ability to log > in as root via ssh means those machines will not be accessible. This has been the reason this hasn't been changed the last few times someone proposed to change it. I don't know how many folks do installs with no user config, but it's definitely possible right now and that could mean they wouldn't be able to reach their instance. We could of course change that so creating a new user is forced, but I'm really not sure it's that much advantage. > If you want to remove root access that should be conditionally done at > firstboot only if a user account was created. This seems a more reasonable place to look to change this, I agree. kevin pgpcbATTMtWgN.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Sat, 22 Nov 2014 08:24:32 + (UTC) P J P wrote: > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote: > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: > >> The latter. We have to install authorized_keys inside the VM > >> anyway, so we can touch sshd_config, too. > > > > Virt-builder has a new '--ssh-inject' feature (in F22 only). > > > > $ virt-builder fedora-20 --ssh-inject root > > > > would inject your current ssh key into the root account of the new > > VM. There are other variations, including ways to create a non-root > > user account, see: > > > > http://libguestfs.org/virt-builder.1.html > > > > > Excellent! :) > > > So far the consensus seem that it is okay to reverse the current > default and set PermitRootLogin=no. I'll talk to the upstream > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba). > > Thank you. We can install machine w/o user accounts, removing the ability to log in as root via ssh means those machines will not be accessible. If you want to remove root access that should be conditionally done at firstboot only if a user account was created. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Monday, 24 November 2014 2:59 PM, P J P wrote: > > On Sunday, 23 November 2014 1:59 AM, Rahul Sundaram wrote: >> I would suggesting going through the feature process... >> Having FESCo review a proposal is useful as well. > > Right, makes sense. I'll do that. Please see -> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Sunday, 23 November 2014 1:59 AM, Rahul Sundaram wrote: >I would suggesting going through the feature process. Although the config >file change itself is trivial, there are multiple components that require >coordination with several teams (Anaconda, Fedora Security team, openSSH, >GNOME etc), testing and documentation. Having FESCo review a proposal is >useful as well. Right, makes sense. I'll do that. I'm from Fedora Security Team above; that is where this topic/discussion came up and lead to this thread. Thank you. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Sun, Nov 23, 2014 at 7:44 PM, Dennis Gilmore wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Fri, 21 Nov 2014 07:11:27 + (UTC) > P J P wrote: > >> Hello, >> >> Sshd(8) daemon by default allows remote users to login as root. >> >> 1. Is that really necessary? >> 2. Lot of users use their systems as root, without even creating a >> non-root user. Such practices need to be discouraged, not allowing >> remote root login could be useful in that. >> >> Does it make sense to disable remote root login by default? If so, do >> we need to just report it to the maintainer or it would be treated as >> a feature? > > I think its a bad idea, but I say so as a user that when installing a > new system, especially a remove vm will log in as root via ssh and > join the machine post install to my ipa domain. > > Dennis This is an old, old, subject and debate in the SSH community. Every time people try to change defaults, it can and *wll* break existing practices, even if the defaults are a security problem and should have been changed a decade ago. Personally? I'd *love* to see the default allow root direct login directly only from ""localhost". That means a 'Match Host' change to re-enable PermitRootLogin only if the connection is from localhost, which is a bit more sophisticated than just turning PermitRootlLogin on or off. Plus, I don't know if you've looked lately, but some people *really* screw up "localhost" settings in /etc/hosts as they try to get clever with shoving the FQDN into the loopback IP addresses, and hilarity ensues. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 21 Nov 2014 07:11:27 + (UTC) P J P wrote: > Hello, > > Sshd(8) daemon by default allows remote users to login as root. > > 1. Is that really necessary? > 2. Lot of users use their systems as root, without even creating a > non-root user. Such practices need to be discouraged, not allowing > remote root login could be useful in that. > > Does it make sense to disable remote root login by default? If so, do > we need to just report it to the maintainer or it would be treated as > a feature? I think its a bad idea, but I say so as a user that when installing a new system, especially a remove vm will log in as root via ssh and join the machine post install to my ipa domain. Dennis -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBAgAGBQJUcn9WAAoJEH7ltONmPFDRAwQP/36BhjlPb8AbNKzpZvuIcIX4 Sn+zTceuaaAwBYLIiHzqB7pQ7992Y3ka2V7ViWVcgmEbfgcVbm2roXQwHKN2IRGY e6xy+Tji0nt3vpbI+nvVVH3zWBMsIn+iy6YmddpzTCDNQVFtJBe/NRwNjKlqEg5A mXsPY/H0g20tv5SgWMzsTnbPOYRTEouLpCR7fUsEB5vifBjAmwHolPJ5IfiMIXg8 ese7JVE1UMfB6e2+CrkproC5lxVgmNASx/+6wgKKXJKVM8kD338Iy8zS3rWZpPOF zBModm0lgIF3kBDV9rpJARAo7Loj1EF9c/Dgv4OwzAcwsLWc8AxhHTK5Mle5T16Q 2WXteZBi9cJxdOK+n9lYWJDYN+NvjFViHFBY65ZKFcj95bu2UQy0dQtygtUJuv5C SC7MizpH1p/6BEwDnUmydk3PZ8m1zW1VExTRrkk/8uyjuxvBhMkQhrTB8dXQEwAO ReISOpEA7lyRlXH0v6SkKgQ2XST1nceR1Qt+lgyBksdXGVZ6Qgk1De2jV0230i44 lY0JfqgTwlg9dyRq3XQ4c9LteA53m2XICWrctcxeoJ3RxcO01UGbhwJ/bSNUVe+p c55FlsJm9oQqj28+0BD5kMeQAVoCtsW2iuk8htoLl3wbkn5KaRZPpCuTe4L5Z6Vy N5ZPvFiY2KbI5eZKz2fm =DRcf -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Hi > Yes, true. We need to talk to them about it yet; still in the process. > And that's why I was wondering if it needs to be a fully fledged feature? > or just talking to upstream maintainers would do it? > I would suggesting going through the feature process. Although the config file change itself is trivial, there are multiple components that require coordination with several teams (Anaconda, Fedora Security team, openSSH, GNOME etc), testing and documentation. Having FESCo review a proposal is useful as well. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Saturday, 22 November 2014 9:28 PM, Rahul Sundaram wrote: >This seems pretty tricky to ensure. Anaconda doesn't enforce >an additional user because that could be done via the initial >setup or gnome initial setup. IIRC, the interactions between >them were pretty non obvious already. Yes, true. We need to talk to them about it yet; still in the process. And that's why I was wondering if it needs to be a fully fledged feature? or just talking to upstream maintainers would do it? --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Hi On Sat, Nov 22, 2014 at 7:24 AM, P J P wrote: > > Yes, we'll ensure that noone is locked out of their systems after a fresh > install or upgrade. > This seems pretty tricky to ensure. Anaconda doesn't enforce an additional user because that could be done via the initial setup or gnome initial setup. IIRC, the interactions between them were pretty non obvious already. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Saturday, 22 November 2014 4:29 PM, Felix Schwarz wrote > I'm ok with no root login assuming that one can ssh into the machine (and > become root somehow) after an install (this is along the lines of what Harald > Reindl mentioned yesterday). Yes, true. One would definitely need a non-user access to the system. Maybe by compulsory/default non-root user account creation. > Seems that this means there must be some other user account on the system (or > just use "PermitRootLogin without-password" which is my favorite > option right now anyway). I guess you'll take care of that? Yes, we'll ensure that noone is locked out of their systems after a fresh install or upgrade. Thank you. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Am 22.11.2014 um 09:24 schrieb P J P: > So far the consensus seem that it is okay to reverse the current default and > set PermitRootLogin=no. I'll talk to the upstream maintainer - > plautrba(https://fedoraproject.org/wiki/User:Plautrba). Sorry for being late to the party. I'm ok with no root login assuming that one can ssh into the machine (and become root somehow) after an install (this is along the lines of what Harald Reindl mentioned yesterday). Seems that this means there must be some other user account on the system (or just use "PermitRootLogin without-password" which is my favorite option right now anyway). I guess you'll take care of that? fs -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote: >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: >> The latter. We have to install authorized_keys inside the VM >> anyway, so we can touch sshd_config, too. > > Virt-builder has a new '--ssh-inject' feature (in F22 only). > > $ virt-builder fedora-20 --ssh-inject root > > would inject your current ssh key into the root account of the new VM. > There are other variations, including ways to create a non-root user > account, see: > > http://libguestfs.org/virt-builder.1.html > Excellent! :) So far the consensus seem that it is okay to reverse the current default and set PermitRootLogin=no. I'll talk to the upstream maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba). Thank you. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote: > On 11/21/2014 09:04 AM, P J P wrote: > >>My point is that once we address this (most likely through some > >>configuration generation during VM setup), we can also switch > >>PermitRootLogin on. > > > You mean off? Or that we disable it by default and enable it while > > setting up a new VM? > > The latter. We have to install authorized_keys inside the VM > anyway, so we can touch sshd_config, too. Virt-builder has a new '--ssh-inject' feature (in F22 only). $ virt-builder fedora-20 --ssh-inject root would inject your current ssh key into the root account of the new VM. There are other variations, including ways to create a non-root user account, see: http://libguestfs.org/virt-builder.1.html Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 2014-11-21, 10:55 GMT, Roberto Ragusa wrote: > For rsync-as-root use cases my usual approach is to create > another account with userid=0 and login with ssh on this > account. Proper way is actually to use command parameter in authorized_keys on server and for example https://ftp.samba.org/pub/unpacked/rsync/support/rrsync (or /usr/share/doc/rsync-*/support/rrsync) The only thing attacker gets after cracking to the server is rsync prompt. Best, Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Am 21.11.2014 um 12:05 schrieb Reindl Harald: Am 21.11.2014 um 11:55 schrieb Roberto Ragusa: On 11/21/2014 09:42 AM, Reindl Harald wrote: why? because they are servers for specific tasks and *any* non-root login would be followed by "su - root" anyways and for automated rsync scripts backing up data only root has access you need it also For rsync-as-root use cases my usual approach is to create another account with userid=0 and login with ssh on this account. It is not root, but it has the same powers (because the numeric uid is the only thing it really matters). Just wanted to share the trick thanks, but that would alert in lynis checks "PermitRootLogin without-password" after setup key-authentication should be the first action anyways - however i am neutral to any default here since on physical machines no problem and most remote machines are setup as virtual machine and so "local access" not entirely neutral "PermitRootLogin without-password" instead "PermitRootLogin no" has the same effect until "authorized_keys" got configured but avoids people going mad why the key-auth-setup don't work :-) signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Am 21.11.2014 um 11:55 schrieb Roberto Ragusa: On 11/21/2014 09:42 AM, Reindl Harald wrote: why? because they are servers for specific tasks and *any* non-root login would be followed by "su - root" anyways and for automated rsync scripts backing up data only root has access you need it also For rsync-as-root use cases my usual approach is to create another account with userid=0 and login with ssh on this account. It is not root, but it has the same powers (because the numeric uid is the only thing it really matters). Just wanted to share the trick thanks, but that would alert in lynis checks "PermitRootLogin without-password" after setup key-authentication should be the first action anyways - however i am neutral to any default here since on physical machines no problem and most remote machines are setup as virtual machine and so "local access" the only important thing is to *really* make sure that there was a different account created - otherwise it could lead to a locked out installation in case of network setup after the first boot __ Lynis: [+] Users, Groups and Authentication - Search administrator accounts [ OK ] - Checking for non-unique UIDs [ OK ] - Checking consistency of group files (grpck) [ OK ] - Checking non unique group ID's[ OK ] - Checking non unique group names [ OK ] signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/21/2014 09:42 AM, Reindl Harald wrote: > why? because they are servers for specific tasks and *any* non-root login > would be followed by "su - root" anyways and for automated rsync scripts > backing up data only root has access you need it also For rsync-as-root use cases my usual approach is to create another account with userid=0 and login with ssh on this account. It is not root, but it has the same powers (because the numeric uid is the only thing it really matters). Just wanted to share the trick. Best regards. -- Roberto Ragusamail at robertoragusa.it -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/21/2014 09:04 AM, P J P wrote: >> On Friday, 21 November 2014 1:24 PM, Florian Weimer wrote: > >>> On 11/21/2014 08:34 AM, Jan Kratochvil wrote: >>> Almost all of my Fedora installations are test VMs where >>> any security is irrelevant. > >Okay. But does enabling root login offer any significant benefit in that? > IOW, if it's disabled by default, would it cause any significant > inconvenience/troubles?? If not, it better be disabled by default. For example for me it would be some inconvenience. I also use a lot of Fedora VMs for testing and none of them has regular user, just root. However I can see the benefits of disabling root login by default. Especially from the security point of view. I think it would be a good move. Regards, Tomas >> I think it's a valid use case, but rather poorly supported at the >> moment. For example, there should be completely seemless SSH login from >> virt-manager for user-manageable virtual machines (both as root and the >> user). >> >> My point is that once we address this (most likely through some >> configuration generation during VM setup), we can also switch >> PermitRootLogin on. > > > You mean off? Or that we disable it by default and enable it while setting > up a new VM? > > --- > Regards >-Prasad > http://feedmug.com > -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
Am 21.11.2014 um 08:11 schrieb P J P: Sshd(8) daemon by default allows remote users to login as root. 1. Is that really necessary? 2. Lot of users use their systems as root, without even creating a non-root user. Such practices need to be discouraged, not allowing remote root login could be useful in that. Does it make sense to disable remote root login by default? If so, do we need to just report it to the maintainer or it would be treated as a feature? normally if you care for security you disable password logins at all, setup key-authentication and "PermitRootLogin without-password" many machines i maintain only have a root account for login why? because they are servers for specific tasks and *any* non-root login would be followed by "su - root" anyways and for automated rsync scripts backing up data only root has access you need it also for all of that you need a initial ssh login in most cases (except you work with a CD/DVD containing the key in case of a local install) signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Fr, 2014-11-21 at 09:11 +0100, Florian Weimer wrote: > On 11/21/2014 09:04 AM, P J P wrote: > >> My point is that once we address this (most likely through some > >> configuration generation during VM setup), we can also switch > >> PermitRootLogin on. > > >You mean off? Or that we disable it by default and enable it while > > setting up a new VM? > > The latter. We have to install authorized_keys inside the VM anyway, so > we can touch sshd_config, too. There is "PermitRootLogin without-password" too ... cheers. Gerd -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
El 2014-11-21 08:49, Christian Rose escribió: 2014-11-21 8:11 GMT+01:00 P J P : Sshd(8) daemon by default allows remote users to login as root. 1. Is that really necessary? 2. Lot of users use their systems as root, without even creating a non-root user. Such practices need to be discouraged, not allowing remote root login could be useful in that. Does it make sense to disable remote root login by default? If so, do we need to just report it to the maintainer or it would be treated as a feature? IIRC, the main reason for PermitRootLogin being enabled by default was to prevent a remote server from becoming inaccessible in cases such as a network mounted /home suddenly becoming unavailable. Also, the creation of a user is not enforced at installation, so you'll need to login as root in those cases -- Juan Orti https://miceliux.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/21/2014 09:04 AM, P J P wrote: My point is that once we address this (most likely through some configuration generation during VM setup), we can also switch PermitRootLogin on. You mean off? Or that we disable it by default and enable it while setting up a new VM? The latter. We have to install authorized_keys inside the VM anyway, so we can touch sshd_config, too. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
> On Friday, 21 November 2014 1:24 PM, Florian Weimer wrote: >> On 11/21/2014 08:34 AM, Jan Kratochvil wrote: >> Almost all of my Fedora installations are test VMs where >> any security is irrelevant. Okay. But does enabling root login offer any significant benefit in that? IOW, if it's disabled by default, would it cause any significant inconvenience/troubles?? If not, it better be disabled by default. > I think it's a valid use case, but rather poorly supported at the > moment. For example, there should be completely seemless SSH login from > virt-manager for user-manageable virtual machines (both as root and the > user). > > My point is that once we address this (most likely through some > configuration generation during VM setup), we can also switch > PermitRootLogin on. You mean off? Or that we disable it by default and enable it while setting up a new VM? --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On 11/21/2014 08:34 AM, Jan Kratochvil wrote: On Fri, 21 Nov 2014 08:11:27 +0100, P J P wrote: Does it make sense to disable remote root login by default? If so, do we need to just report it to the maintainer or it would be treated as a feature? Almost all of my Fedora installations are test VMs where any security is irrelevant. Just my use case, not saying if it is good or bad in general. I think it's a valid use case, but rather poorly supported at the moment. For example, there should be completely seemless SSH login from virt-manager for user-manageable virtual machines (both as root and the user). My point is that once we address this (most likely through some configuration generation during VM setup), we can also switch PermitRootLogin on. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
2014-11-21 8:11 GMT+01:00 P J P : > Sshd(8) daemon by default allows remote users to login as root. > > 1. Is that really necessary? > 2. Lot of users use their systems as root, without even creating a > non-root user. > Such practices need to be discouraged, not allowing remote root login > could be > useful in that. > > Does it make sense to disable remote root login by default? If so, do we > need to just report it to the maintainer or it would be treated as a > feature? > IIRC, the main reason for PermitRootLogin being enabled by default was to prevent a remote server from becoming inaccessible in cases such as a network mounted /home suddenly becoming unavailable. Regards Christian -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Fri, 21 Nov 2014 08:11:27 +0100, P J P wrote: > Does it make sense to disable remote root login by default? If so, do we > need to just report it to the maintainer or it would be treated as > a feature? Almost all of my Fedora installations are test VMs where any security is irrelevant. Just my use case, not saying if it is good or bad in general. Jan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Abotu setting 'PermitRootLogin=no' in sshd_config
On Fri, Nov 21, 2014 at 12:41 PM, P J P wrote: > Hello, > > Sshd(8) daemon by default allows remote users to login as root. > > 1. Is that really necessary? > 2. Lot of users use their systems as root, without even creating a non-root > user. > Such practices need to be discouraged, not allowing remote root login > could be > useful in that. > > Does it make sense to disable remote root login by default? If so, do we need > to just report it to the maintainer or it would be treated as a feature? Being a Fedora user on my personal machine as well as maintainer of a few Fedora machines in production environment, I would gladly welcome this. Many people do disable root login anyway. Having it default would be a positive step from security stand point. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Abotu setting 'PermitRootLogin=no' in sshd_config
Hello, Sshd(8) daemon by default allows remote users to login as root. 1. Is that really necessary? 2. Lot of users use their systems as root, without even creating a non-root user. Such practices need to be discouraged, not allowing remote root login could be useful in that. Does it make sense to disable remote root login by default? If so, do we need to just report it to the maintainer or it would be treated as a feature? --- Regards -Prasad http://feedmug.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
