Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/15/21 11:53 AM, Ralf Corsepius wrote: Creating a non-root user account, possibly with admin rights (all possible from within Anaconda) would seem like a safer option for accasional/emergency password based access to such machines over SSH. I don't see, how this would any safer than directly using "root". in many environments such user account is federated (kerberos/AD/NIS/whatever), so it can be managed more easily than a bunch of roots. Plus there's some accountability as to who did what. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
Hi, On 5/17/21 2:26 PM, Martin Kolman wrote: On Sat, 2021-05-15 at 17:53 +0200, Ralf Corsepius wrote: On 5/14/21 2:50 PM, Martin Kolman wrote: On Thu, 2021-05-13 at 20:09 +0200, Peter Boy wrote: We discussed that in the Fedora Server Edition Working Group and opted to leave it as is for the Server installation iso. A lot of servers are running in a protected environment. And there are situations when you need urgent access but do not sit at your desktop and don’t have the key available. So let the server admin decide what is best in a given installation context. In most cases it is the current default (disallow password login) Do those server deployments not have any users accounts other than root ? Creating a non-root user account, possibly with admin rights (all possible from within Anaconda) would seem like a safer option for accasional/emergency password based access to such machines over SSH. I don't see, how this would any safer than directly using "root". As far as I understand the original change in upstream OpenSSH it's about only having to remotely guess a password to gain access to the root account. In comparison to remotely attack a user account you need to guess both the user name *and* password, making the potential search space quite a bit larger (provided the user name is reasonably unique). So presumably, its a problem for which a single additional bit of password entropy provides more security. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
Hi, On 5/14/21 1:05 AM, Juha Tuomala wrote: On Thursday, 13 May 2021 18:50:33 EEST PGNet Dev wrote: On 5/13/21 10:48 AM, Juha Tuomala wrote: Virtual machine installation is hopefully a special use case and majority of installations are bare metal end users. hardly. here, Sure. But this is devel list. Are developers themselves the target audience? :) Hopefully not. Is it defined somewhere? I would certainly enjoy the polished user interface that normal users require. Yes, it would be helpful know to know the userbase better, but I would hazard a guess that the percentage of non IT related people _installing_ fedora is a tiny fraction of the userbase. I don't think that is unique to linux, not many mac/windows users have seen the osx/windows installer either. I would suggest then the point of the installer (vs just a random disk image, or pre-installed machine) is to give the user choices about the systemm behavior, be that the partitioning, DE, system services, etc. Sure having a streamlined "just do it" mode is helpful, but its a shortcomming of the installer if the first thing I have to do with a newly installed machine is reverse a lot of the defaults it set. Sadly I find myself doing this more and more with fedora, as i'm not given the choice to not to use zram, or avoid starting iscsi, I have to manually disable those things. So, while zram and iscsi have their place, its not in my environment. for that, a simple password option is more than sufficient. again, why not simply 'leave it be'. To make it clear, I agree. Unix/Linux has always been about options and flexibility. And hence having option to pull the root's existing public key somewhere easier is just good progress. Tuju ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Sat, 2021-05-15 at 17:53 +0200, Ralf Corsepius wrote: > On 5/14/21 2:50 PM, Martin Kolman wrote: > > On Thu, 2021-05-13 at 20:09 +0200, Peter Boy wrote: > > > > We discussed that in the Fedora Server Edition Working Group and > > > opted to leave it as is for the Server installation iso. A lot of > > > servers are running in a protected environment. And there are > > > situations when you need urgent access but do not sit at your > > > desktop > > > and don’t have the key available. So let the server admin decide > > > what > > > is best in a given installation context. In most cases it is the > > > current default (disallow password login) > > Do those server deployments not have any users accounts other than > > root > > ? Creating a non-root user account, possibly with admin rights (all > > possible from within Anaconda) would seem like a safer option for > > accasional/emergency password based access to such machines over > > SSH. > > I don't see, how this would any safer than directly using "root". As far as I understand the original change in upstream OpenSSH it's about only having to remotely guess a password to gain access to the root account. In comparison to remotely attack a user account you need to guess both the user name *and* password, making the potential search space quite a bit larger (provided the user name is reasonably unique). > > Ralf > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/13/21 9:45 AM, Simo Sorce wrote: > On Wed, 2021-05-12 at 16:35 -0400, Ben Cotton wrote: >> == Benefit to Fedora == >> This change makes the Fedora systems installed by Anaconda more secure >> from remote password guessing attacks targeting the root account as it >> would no longer be possible to configure a system that allows root to >> login via SSH with password. >> >> A smaller benefit is making the root password configuration screen >> less confusing by removing the "Allow SSH root login with password" & >> Anaconda code cleanup related removing code related to setting up the >> override in sshd. > To be honest I object to this characterization. > > There is no added security given the default is not changed. This only > removes a valid option that users that install images for testing > locally on their computer use. It just makes it harder but does not > change the security of Fedora one yota, as uses can still log in after > install and re-enable root login with passwords, or use a kickstart > file to do the same. > > If this is being done because maintaining the option for Anaconda > developers then just say that. Otherwise do not do this change and let > people that need it for convenience have it. > > Simo. > This will be a major PITA for me as well. Most of my machines are internal facing only and are VMs. There are lots of ways to provision a host; kickstarts being just one. I made a commitment to using Puppet instead because it enforces a setup thereafter, not just at install time. The same would be true with Ansible or any other of this ilk. I can't/won't have a local user account until Puppet is run because that's all achieved with NFS, LDAP and Kerberos -- things I don't want to try and achieve or replicate in a kickstart. Sure, I could have a kickstart install/start Puppet, but it's MUCH easier to check this one box than it is to enter in a long URL where a kickstart can be reached. In the end, my SSH config will still be more hardened than what would be achieved by removing this checkbox. John Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/14/21 2:50 PM, Martin Kolman wrote: On Thu, 2021-05-13 at 20:09 +0200, Peter Boy wrote: We discussed that in the Fedora Server Edition Working Group and opted to leave it as is for the Server installation iso. A lot of servers are running in a protected environment. And there are situations when you need urgent access but do not sit at your desktop and don’t have the key available. So let the server admin decide what is best in a given installation context. In most cases it is the current default (disallow password login) Do those server deployments not have any users accounts other than root ? Creating a non-root user account, possibly with admin rights (all possible from within Anaconda) would seem like a safer option for accasional/emergency password based access to such machines over SSH. I don't see, how this would any safer than directly using "root". Ralf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Friday, 14 May 2021 14:25:26 EEST PGNet Dev wrote: > On 5/14/21 2:05 AM, Juha Tuomala wrote: > > Sure. But this is devel list. Are developers themselves the target > > audience? > > > :) Hopefully not. Is it defined somewhere? > and, yes, 'developers themselves' -- again, "here" -- *are* a target > audience. their usage of OS installs, whether VM or baremetal, is far > higher than end-users'. - again, -- is it defined somewhere? :) Just asking. Tuju -- t...@iki.fi | http://tuju.fi | sip:t...@iki.fi | +358931575699 | +358401514000 Better to have one, and not need it, than to need one and not have it. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Thu, 2021-05-13 at 20:09 +0200, Peter Boy wrote: > > > > Am 12.05.2021 um 22:35 schrieb Ben Cotton : > > > > == Summary == > > Since 2019 the Anaconda installer GUI hosted an option called > > "Allow > > SSH root login with password", that made it possible to enable > > password based root logins over SSH on the installed system. ... > > And > > after two years of transition period it is now time to drop the > > option > > from the GUI. > > > > We discussed that in the Fedora Server Edition Working Group and > opted to leave it as is for the Server installation iso. A lot of > servers are running in a protected environment. And there are > situations when you need urgent access but do not sit at your desktop > and don’t have the key available. So let the server admin decide what > is best in a given installation context. In most cases it is the > current default (disallow password login) Do those server deployments not have any users accounts other than root ? Creating a non-root user account, possibly with admin rights (all possible from within Anaconda) would seem like a safer option for accasional/emergency password based access to such machines over SSH. > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Fri, May 14, 2021 at 07:25:26AM -0400, PGNet Dev wrote: > On 5/14/21 2:05 AM, Juha Tuomala wrote: > >>here, > > > >Sure. But this is devel list. Are developers themselves the target audience? > >:) Hopefully not. Is it defined somewhere? > > by 'here', I meant my company environment, not just this list. > > and, yes, 'developers themselves' -- again, "here" -- *are* a target > audience. their usage of OS installs, whether VM or baremetal, is far higher > than end-users'. There's a special kind of "end users" who exclusively use VMs: Windows and Mac owners who install Fedora in VirtualBox. And there is an infinite amount of Windows users out there ;) I think the premise that there's more bare-metal installs is pretty weak. Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/14/21 2:05 AM, Juha Tuomala wrote: here, Sure. But this is devel list. Are developers themselves the target audience? :) Hopefully not. Is it defined somewhere? by 'here', I meant my company environment, not just this list. and, yes, 'developers themselves' -- again, "here" -- *are* a target audience. their usage of OS installs, whether VM or baremetal, is far higher than end-users'. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Thursday, 13 May 2021 18:50:33 EEST PGNet Dev wrote: > On 5/13/21 10:48 AM, Juha Tuomala wrote: > > Virtual machine installation is hopefully a special use case and majority > > of installations are bare metal end users. > > hardly. > > here, Sure. But this is devel list. Are developers themselves the target audience? :) Hopefully not. Is it defined somewhere? I would certainly enjoy the polished user interface that normal users require. > for that, a simple password option is more than sufficient. > again, why not simply 'leave it be'. To make it clear, I agree. Unix/Linux has always been about options and flexibility. And hence having option to pull the root's existing public key somewhere easier is just good progress. Tuju -- t...@iki.fi | http://tuju.fi | sip:t...@iki.fi | +358931575699 | +358401514000 Better to have one, and not need it, than to need one and not have it. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Thu, May 13, 2021 at 05:48:07PM +0300, Juha Tuomala wrote: > Virtual machine installation is hopefully a special use case and majority of > installations are bare metal end users. Most likely the exact opposite of this, but I don't have the numbers. (On _my_ systems it's likely to be 100:1 virtual:physical) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
> Am 12.05.2021 um 22:35 schrieb Ben Cotton : > > == Summary == > Since 2019 the Anaconda installer GUI hosted an option called "Allow > SSH root login with password", that made it possible to enable > password based root logins over SSH on the installed system. ... And > after two years of transition period it is now time to drop the option > from the GUI. > We discussed that in the Fedora Server Edition Working Group and opted to leave it as is for the Server installation iso. A lot of servers are running in a protected environment. And there are situations when you need urgent access but do not sit at your desktop and don’t have the key available. So let the server admin decide what is best in a given installation context. In most cases it is the current default (disallow password login) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Thu, May 13, 2021 at 9:46 AM Simo Sorce wrote: > > On Wed, 2021-05-12 at 16:35 -0400, Ben Cotton wrote: > > == Benefit to Fedora == > > This change makes the Fedora systems installed by Anaconda more secure > > from remote password guessing attacks targeting the root account as it > > would no longer be possible to configure a system that allows root to > > login via SSH with password. > > > > A smaller benefit is making the root password configuration screen > > less confusing by removing the "Allow SSH root login with password" & > > Anaconda code cleanup related removing code related to setting up the > > override in sshd. > > To be honest I object to this characterization. > > There is no added security given the default is not changed. This only > removes a valid option that users that install images for testing > locally on their computer use. It just makes it harder but does not > change the security of Fedora one yota, as uses can still log in after > install and re-enable root login with passwords, or use a kickstart > file to do the same. > > If this is being done because maintaining the option for Anaconda > developers then just say that. Otherwise do not do this change and let > people that need it for convenience have it. > > Simo. It also deletes from the GUI options that are available in anaconda itself. Thati violates one of the guidelines of Eric Raymond's guidelines for open source GUI's, from the "Luxury of Ignorance" essay. Well, OK, he added that guideline after the original essay as a PS at my suggestion. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/13/21 10:48 AM, Juha Tuomala wrote: Virtual machine installation is hopefully a special use case and majority of installations are bare metal end users. hardly. here, for any given single bare-metal install, between cloud & local VMs, there are typically *many*/*frequent* VM installs -- of all shapes-n-sizes. it's FAR more frequent (among devs/ops, even some end-users) than bare-metal installs. a bog-simple, not-uncommon workflow is: launch VirtualBox, drop in an OS iso, run the UI install. for that, a simple password option is more than sufficient. again, why not simply 'leave it be'. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Thursday, 13 May 2021 15:11:19 EEST Roberto Ragusa wrote: > > Make a plugin interface for adding additional methods to obtain public > > keys as there are a lot different sources for those. Fedora itself has > > tools for PKI and public key based security and it would be quite low > > hanging fruit to fill the gap between those components, in cases like > > this. > > In this case before doing advanced cloud based things, PKI nor LDAP have nothing to do with "clouds" Those were created at 1970s and are still in use. L stands for lightweight, could not be further from clouds. https://en.wikipedia.org/wiki/Public_key_infrastructure#History > Developments in PKI occurred in the early 1970s at the British > intelligence agency GCHQ https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#History > These companies introduced the concept of directory services to information > technology and computer networking, their input culminating in the > comprehensive X.500 specification,[6] a suite of protocols produced by the > International Telecommunication Union (ITU) in the 1980s. > let's try to also have a simple "paste your key here" textarea, Having a plugin interface in place, the first plugin can be the "text area", the simplest of all. Having base64 coded carbage in the end user interface is another question, I'm pretty sure that whoever decided ssh pubkeyformat, did not intend it to be used like this. Hence there is a command % ssh-copy-id Usage: /usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [-F alternative ssh_config file] [[-o ] ...] [user@]hostname -f: force mode -- copy keys without trying to check if they are already installed -n: dry run-- no keys are actually copied -h|-?: print this help Those plugins would be written by someone else, outside the Anaconda codebase. That's why the only needed is to define the plugin interface. > which is the only sane method I would want to use when > creating a virtual machine. Virtual machine installation is hopefully a special use case and majority of installations are bare metal end users. Tuju -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/13/21 10:09 AM, Richard W.M. Jones wrote: Not everyone is installing a public facing server. On my isolated, non-networked test instances I want to put up a short-lived VM with a root password of "123456" quickly and no user account, and this option lets me do that. this^^ is a _very_ frequent use case here, as well. it's been mentioned, and seconded b4. i'll do it again: +10 'use kickstart' isn't a simplifying solution. 'leave it be', otoh, is. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Wed, May 12, 2021 at 04:35:44PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Drop_Rootpw_SSH_From_Installer I don't understand why you want to remove this, since it defaults to off. Sure, add a warning if you like (probably there's one already?) Not everyone is installing a public facing server. On my isolated, non-networked test instances I want to put up a short-lived VM with a root password of "123456" quickly and no user account, and this option lets me do that. > Now fast forward to today, it's 2021, any use cases that needed > password based root login via SSH had 2 more years to migrate while the > amount of password guessing attacks certainly didn't get any lower. The trouble is there isn't a practical, lightweight migration available for the test use case, and these aren't exposed anywhere that password-guessing attacks would succeed. The option is not enabled by default (and shouldn't be) so leave it be. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Wed, 2021-05-12 at 16:35 -0400, Ben Cotton wrote: > == Benefit to Fedora == > This change makes the Fedora systems installed by Anaconda more secure > from remote password guessing attacks targeting the root account as it > would no longer be possible to configure a system that allows root to > login via SSH with password. > > A smaller benefit is making the root password configuration screen > less confusing by removing the "Allow SSH root login with password" & > Anaconda code cleanup related removing code related to setting up the > override in sshd. To be honest I object to this characterization. There is no added security given the default is not changed. This only removes a valid option that users that install images for testing locally on their computer use. It just makes it harder but does not change the security of Fedora one yota, as uses can still log in after install and re-enable root login with passwords, or use a kickstart file to do the same. If this is being done because maintaining the option for Anaconda developers then just say that. Otherwise do not do this change and let people that need it for convenience have it. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On 5/13/21 12:13 PM, Juha Tuomala wrote: Make a plugin interface for adding additional methods to obtain public keys as there are a lot different sources for those. Fedora itself has tools for PKI and public key based security and it would be quite low hanging fruit to fill the gap between those components, in cases like this. In this case before doing advanced cloud based things, let's try to also have a simple "paste your key here" textarea, which is the only sane method I would want to use when creating a virtual machine. Regards. -- Roberto Ragusamail at robertoragusa.it ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
On Wednesday, 12 May 2021 23:35:44 EEST Ben Cotton wrote: > * it has been suggested that making it easier to import SSH keys from > popular code hosting platforms (Pagure, GitHub, GitLab, etc.) could > provide a nice alternative to the dropped option - Make a plugin interface for adding additional methods to obtain public keys as there are a lot different sources for those. Fedora itself has tools for PKI and public key based security and it would be quite low hanging fruit to fill the gap between those components, in cases like this. Problem itself is old one and there are known solutions for it: https://en.wikipedia.org/wiki/Public_key_infrastructure Maybe that plugin slot should have some callbacks to information for user interface - like hierarchial selection of country/organization and UI-labels to build an user interface for user, allowing to select right source of keys. For example, my public key is available from public source: ldapsearch -x -h ldap.fineid.fi -b dmdName=fineid,c=fi serialnumber=1350X usercertificate and response: usercertificate;binary:: MIIHMjCCBRqgAwIBAgIEO8QJwTANBgkqhkiG9w0BAQsFADCBlDELM AkGA1UEBhMCRkkxITAfBgNVBAoTGFZhZXN0b3Jla2lzdGVyaWtlc2t1cyBDQTEkMCIGA1UECxMbVm FsdGlvbiBrYW5zYWxhaXN2YXJtZW50ZWV0MTwwOgYDVQQDEzNWUksgR292LiBDQSBmb3IgQ2l0aXp lbiBRdWFsaWZpZWQgQ2VydGlmaWNhdGVzIC0gRzIwHhcNMTYwNjE0MDkxMzAxWhcNMjEwNjEzMjA1 . . . Ideally I would just choose country, trust provider and insert my unique serial number, and tadaa - a root access granted. Now I have to do that manually. The change itself is needed, take a look what happens at your network connected host's /var/log/secure - it's a constant flow of intrusion attempts. Tuju -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F35 Change: Drop the the "Allow SSH root login with password" option from the installer GUI (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/Drop_Rootpw_SSH_From_Installer == Summary == Since 2019 the Anaconda installer GUI hosted an option called "Allow SSH root login with password", that made it possible to enable password based root logins over SSH on the installed system. This was always meant as a temporary option to help users transition to either using key authentication or normal users with admin privileges. And after two years of transition period it is now time to drop the option from the GUI. == Owner == * Name: [[User:M4rtink| Martin Kolman]] == Detailed Description == At the moment the Anaconda installer used by Fedora contains an option called "Allow SSH root login with password" on the root password configuration screen. This is how it looks like at the moment, on latest Fedora Rawhide installer image: https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png For some backstory - in 2015 the OpenSSH upstream decided to disable password based root logins by default. This was done for security reasons as an attacker needs to only guess password to gain access to the root account. For a user account the attacker needs to guess both the username and password and the user account not even have admin privileges, making the remote password guessing attack both harder and less useful. The Fedora OpenSSH package carried downstream patches to revert this upstream change up until summer 2019 when it was decided to restore the upstream behavior and drop the downstream patches as enough tools that required password based SSH login have been migrated to use either key authentication or user based login methods. Now back to the "Allow SSH root login with password" checkbox in the installer GUI. :) The option was added in 2019 when Fedora disabled password based root SSH login by default, as a temporary migration aid for users of the graphical installer. Note that the checkbox is not ticked by default, the user needs to make a conscious choice to allow this security problematic SSH login behavior. Now fast forward to today, it's 2021, any use cases that needed password based root login via SSH had 2 more years to migrate while the amount of password guessing attacks certainly didn't get any lower. For that reason we in the Anaconda development team feel like it's a good time to finally drop the "Allow SSH root login with password" from the Anaconda GUI. == Feedback == * it has been suggested to keep the "Allow SSH root login with password" available per Fedora variant (eq. for Fedora Server, etc.) - this is doable at the cost of some code complexity and we can consider doing that if there is enough demand & confirmation the given SiG is OK with it * it has been suggested that making it easier to import SSH keys from popular code hosting platforms (Pagure, GitHub, GitLab, etc.) could provide a nice alternative to the dropped option - this seems like a nice idea, but it's unclear if any Anaconda team members will have time to work on this before F35 release; on the other hand, (good) patches welcome! :) == Benefit to Fedora == This change makes the Fedora systems installed by Anaconda more secure from remote password guessing attacks targeting the root account as it would no longer be possible to configure a system that allows root to login via SSH with password. A smaller benefit is making the root password configuration screen less confusing by removing the "Allow SSH root login with password" & Anaconda code cleanup related removing code related to setting up the override in sshd. == Scope == * Proposal owners: Remove the "Allow SSH root login with password" and any related backend code that configures the sshd override. * Other developers: * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == == How To Test == Boot a Fedora netinst image, enter the root password configuration screen. Check that "Allow SSH root login with password" option is not present. == User Experience == The users will no longer be able to use the unsecure "Allow SSH root login with password" option on the root password configuration screen of the installer and the root password configuration screen will be a bit cleaner. == Dependencies == == Contingency Plan == Revert the commit that removes the "Allow SSH root login with password" option and do a new Anaconda build. * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A == Documentation == Original change that resulted in the "Allow SSH root login with password" to be added: https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd A workaround for kickstart users that still need to enable password based root login over SSH for some reason: https://anaco