Re: SSH after upgrade
On Mon, 07 Oct 2019 15:25:28 +0200 Jakub Jelen wrote: > On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote: > > On Mon, 07 Oct 2019 10:38:32 +0200 > > Can you please elaborate what were the "many practical reasons" that > > prevented this from being changed for the last 5 years? And why are > > they not equally practical now? > > Mostly the unwillingness of people who were used to use root accounts > in Fedora and not enough alternatives how to override or set up > alternative during installation. > > The initial change was half-baked proposed 5 years ago: > > https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no Yes, that's what I remember being proposed, and eventually rejected. There were long discussions of this on various mailing lists. I mostly remember this one: https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html but there were others as well... > but never accepted by FeSCO (note sure if it was even proposed) and > started long discussions on mailing lists as linked from there. > > Since then, we did not change the value to "no", but we disabled only > the password logins, we added a simple way how to override this in > anaconda installer and there are simple ways how to override it in > kickstarts or add a public ssh keys to authorized_keys files. I see, so there indeed were some technical improvements, to anaconda and kickstart, that circumvented the issues people had back then. That is what I was looking for --- the technical upgrades that made changing the default a viable proposal. I'll read up on those in more detail. > I think it was mostly testing and scratch boxes that needed root > logins (specific use cases), making sure that there is some other > account that is allowed to login after installation (installation > problems). But I think I did not manage to read that thread this year > again. I just re-read the discussion on the devel list from 2014. And yes, the main complaint was that some people were deploying headless VM/test systems where they didn't want to create a non-root user. Changing the default would break a bunch of their existing kickstart scripts... Another scenario that was mentioned by someone was that if /home were network-mounted, and the network would fail, it would leave the system inaccessible via ssh. > 5 years ago, there were no simple workarounds for the installation. > Even this year, the agreement was not really smooth and updating > installer was one of the requirements for the change to be approved: > > https://pagure.io/fesco/issue/2133 I see, so it was an uphill battle even this time around. But this time it was finally won! Congratulations! :-) > This change request is in Fedora actually for more than 15 years: > > https://bugzilla.redhat.com/show_bug.cgi?id=89216 > > Back in that time, this was not default even in upstream and many > people were using root accounts. Oh, wow, unbelievable, reported on 2003-04-21 !!! So this issue is even older than Fedora itself --- from the days of Red Hat 9 (Shrike) all the way to Fedora 31... I thought this was first raised in 2015, had no idea it is as old as 2003... > I think that over the years, the security practices shifted to better > solutions, people learned to use normal users, sudo and ssh keys, > which allowed us to do this finally. Originally the change would be a > surprise for users, but recently, people were surprised by the root > login allowed in Fedora, which also started to be dangerous. So essentially it was a psychological thing --- it took all this time just to change people's minds about this, re-educate them, and wait until they change their practices of remotely logging in as root. With a couple of technical modifications to anaconda and kickstart. This is the info I was looking for, thanks a lot! :-) But I'm still amazed... A security bug/rfe from 2003, closed in 2019... Just wow... Thanks, :-) Marko ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Mon, 2019-10-07 at 14:13 +0200, Marko Vojinovic wrote: > On Mon, 07 Oct 2019 10:38:32 +0200 > Jakub Jelen wrote: > > > On Mon, 2019-10-07 at 02:53 +0200, Marko Vojinovic wrote: > > > On Mon, 7 Oct 2019 10:21:03 +1100 > > > Cameron Simpson wrote: > > > > On 07Oct2019 01:00, Marko Vojinovic wrote: > > > > > On Sun, 06 Oct 2019 18:05:02 +0200 > > > > > alcir...@gmail.com wrote: > > > > > > It could it be related to this change: > > > > > > https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH > > > > > > > > > > As a side question --- I remember that this was the default > > > > > for > > > > > upstream OpenSSH since 2015, but was not adopted in Fedora > > > > > because > > > > > people who install Fedora on headless machines (or remotely) > > > > > would > > > > > have no other way of logging in after initial installation. > > > > > So > > > > > why > > > > > the change of heart now, what happened to the headless login > > > > > issue? > > > > > > > > Because one can generally set up a normal user, log in as them, > > > > then > > > > su or sudo. > > > > > > Was this not possible back in 2015? > > > > > > I guess I am asking what technically changed between then and > > > now, > > > so that we didn't block root back then and we are doing it now? > > > > Please, read the whole fedora change page. It answers all your > > questions. > > Well, the relevant sentence from the change page says: > > "Fedora was for many practical reasons keeping the old configuration > since then, but the difference is no longer bearable" > > Can you please elaborate what were the "many practical reasons" that > prevented this from being changed for the last 5 years? And why are > they not equally practical now? Mostly the unwillingness of people who were used to use root accounts in Fedora and not enough alternatives how to override or set up alternative during installation. The initial change was half-baked proposed 5 years ago: https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no but never accepted by FeSCO (note sure if it was even proposed) and started long discussions on mailing lists as linked from there. Since then, we did not change the value to "no", but we disabled only the password logins, we added a simple way how to override this in anaconda installer and there are simple ways how to override it in kickstarts or add a public ssh keys to authorized_keys files. > Don't get me wrong, I fully support this change, disabling ssh root > login is the very first thing I do every time I install a new system. > And each time I ask myself why on earth isn't this the default, but I > sort-of remember (from various discussions on this mailing list back > in > 2015 or so) that people had good reasons to keep it that way. I think it was mostly testing and scratch boxes that needed root logins (specific use cases), making sure that there is some other account that is allowed to login after installation (installation problems). But I think I did not manage to read that thread this year again. > And now > that I see the default is going to be changed, I'm curious what were > those reasons and what happened to them --- how come they were > good enough for the last five years, and are not good enough now? 5 years ago, there were no simple workarounds for the installation. Even this year, the agreement was not really smooth and updating installer was one of the requirements for the change to be approved: https://pagure.io/fesco/issue/2133 This change request is in Fedora actually for more than 15 years: https://bugzilla.redhat.com/show_bug.cgi?id=89216 Back in that time, this was not default even in upstream and many people were using root accounts. > What > changed? Or else, why wasn't this done already back in 2015? I think that over the years, the security practices shifted to better solutions, people learned to use normal users, sudo and ssh keys, which allowed us to do this finally. Originally the change would be a surprise for users, but recently, people were surprised by the root login allowed in Fedora, which also started to be dangerous. Regards, Jakub > Best, :-) > Marko > > > > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
Re: SSH after upgrade
On Mon, 07 Oct 2019 10:38:32 +0200 Jakub Jelen wrote: > On Mon, 2019-10-07 at 02:53 +0200, Marko Vojinovic wrote: > > On Mon, 7 Oct 2019 10:21:03 +1100 > > Cameron Simpson wrote: > > > On 07Oct2019 01:00, Marko Vojinovic wrote: > > > > On Sun, 06 Oct 2019 18:05:02 +0200 > > > > alcir...@gmail.com wrote: > > > > > It could it be related to this change: > > > > > https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH > > > > > > > > As a side question --- I remember that this was the default for > > > > upstream OpenSSH since 2015, but was not adopted in Fedora > > > > because > > > > people who install Fedora on headless machines (or remotely) > > > > would > > > > have no other way of logging in after initial installation. So > > > > why > > > > the change of heart now, what happened to the headless login > > > > issue? > > > > > > Because one can generally set up a normal user, log in as them, > > > then > > > su or sudo. > > > > Was this not possible back in 2015? > > > > I guess I am asking what technically changed between then and now, > > so that we didn't block root back then and we are doing it now? > > Please, read the whole fedora change page. It answers all your > questions. Well, the relevant sentence from the change page says: "Fedora was for many practical reasons keeping the old configuration since then, but the difference is no longer bearable" Can you please elaborate what were the "many practical reasons" that prevented this from being changed for the last 5 years? And why are they not equally practical now? Don't get me wrong, I fully support this change, disabling ssh root login is the very first thing I do every time I install a new system. And each time I ask myself why on earth isn't this the default, but I sort-of remember (from various discussions on this mailing list back in 2015 or so) that people had good reasons to keep it that way. And now that I see the default is going to be changed, I'm curious what were those reasons and what happened to them --- how come they were good enough for the last five years, and are not good enough now? What changed? Or else, why wasn't this done already back in 2015? Best, :-) Marko ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Mon, 2019-10-07 at 02:53 +0200, Marko Vojinovic wrote: > On Mon, 7 Oct 2019 10:21:03 +1100 > Cameron Simpson wrote: > > > On 07Oct2019 01:00, Marko Vojinovic wrote: > > > On Sun, 06 Oct 2019 18:05:02 +0200 > > > alcir...@gmail.com wrote: > > > > It could it be related to this change: > > > > https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH > > > > > > As a side question --- I remember that this was the default for > > > upstream OpenSSH since 2015, but was not adopted in Fedora > > > because > > > people who install Fedora on headless machines (or remotely) > > > would > > > have no other way of logging in after initial installation. So > > > why > > > the change of heart now, what happened to the headless login > > > issue? > > > > Because one can generally set up a normal user, log in as them, > > then > > su or sudo. > > Was this not possible back in 2015? > > I guess I am asking what technically changed between then and now, so > that we didn't block root back then and we are doing it now? Please, read the whole fedora change page. It answers all your questions. You can always install public keys for root during kickstart (it might not have been that easy before) or allow password root logins from Anaconda (which is new feature in F31). Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Mon, 7 Oct 2019 10:21:03 +1100 Cameron Simpson wrote: > On 07Oct2019 01:00, Marko Vojinovic wrote: > >On Sun, 06 Oct 2019 18:05:02 +0200 > >alcir...@gmail.com wrote: > >> It could it be related to this change: > >> https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH > > > >As a side question --- I remember that this was the default for > >upstream OpenSSH since 2015, but was not adopted in Fedora because > >people who install Fedora on headless machines (or remotely) would > >have no other way of logging in after initial installation. So why > >the change of heart now, what happened to the headless login issue? > > Because one can generally set up a normal user, log in as them, then > su or sudo. Was this not possible back in 2015? I guess I am asking what technically changed between then and now, so that we didn't block root back then and we are doing it now? Best, :-) Marko ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On 07Oct2019 01:00, Marko Vojinovic wrote: On Sun, 06 Oct 2019 18:05:02 +0200 alcir...@gmail.com wrote: It could it be related to this change: https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH As a side question --- I remember that this was the default for upstream OpenSSH since 2015, but was not adopted in Fedora because people who install Fedora on headless machines (or remotely) would have no other way of logging in after initial installation. So why the change of heart now, what happened to the headless login issue? Because one can generally set up a normal user, log in as them, then su or sudo. IMO it is nuts to allow direct root login to your machine as root, let alone as root-via-password. Just asking to be hacked. And yes I've got a number of headless machines. Cheers, Cameron Simpson ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Sun, 06 Oct 2019 18:05:02 +0200 alcir...@gmail.com wrote: > On Sun, 2019-10-06 at 10:46 -0500, Mike Chambers wrote: > > Upgraded server from Fedora 30 to 31 (updated to present), and ssh > > into > > that server works fine as normal user, but no longer lets me login > > as root. I can login as root from the server machine itself, and > > can login via su - but just cant' from ssh. > > > > Any ideas what changed or got replaced so revert it back? > > It could it be related to this change: > https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH As a side question --- I remember that this was the default for upstream OpenSSH since 2015, but was not adopted in Fedora because people who install Fedora on headless machines (or remotely) would have no other way of logging in after initial installation. So why the change of heart now, what happened to the headless login issue? Best, :-) Marko ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Sun, 6 Oct 2019 at 13:05, wrote: > On Sun, 2019-10-06 at 10:46 -0500, Mike Chambers wrote: > > Upgraded server from Fedora 30 to 31 (updated to present), and ssh > > into > > that server works fine as normal user, but no longer lets me login as > > root. I can login as root from the server machine itself, and can > > login via su - but just cant' from ssh. > > > > Any ideas what changed or got replaced so revert it back? > > It could it be related to this change: > > https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH > > In the past, for other distros, the setting to disable root login was `PermitRootLogin no` in `/etc/ssh/sshd_config` -- George N. White III ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Sun, 2019-10-06 at 10:46 -0500, Mike Chambers wrote: > Upgraded server from Fedora 30 to 31 (updated to present), and ssh into > that server works fine as normal user, but no longer lets me login as > root. I can login as root from the server machine itself, and can > login via su - but just cant' from ssh. > > Any ideas what changed or got replaced so revert it back? F31 is unreleased software. Questions should be addressed to the Fedora Test list. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: SSH after upgrade
On Sun, 2019-10-06 at 10:46 -0500, Mike Chambers wrote: > Upgraded server from Fedora 30 to 31 (updated to present), and ssh > into > that server works fine as normal user, but no longer lets me login as > root. I can login as root from the server machine itself, and can > login via su - but just cant' from ssh. > > Any ideas what changed or got replaced so revert it back? It could it be related to this change: https://fedoraproject.org/wiki/Releases/31/ChangeSet#Disable_Root_Password_Login_in_SSH Ciao, A. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
