From Fedora Project Wiki
(Initial commit)
 
m (Correct the BZ link)
 
(10 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
== Summary ==
 
== Summary ==
 
The upstream OpenSSH disabled password logins for root back in 2015. The Fedora should follow to keep security expectation and avoid users surprises with this configuration.
 
The upstream OpenSSH disabled password logins for root back in 2015. The Fedora should follow to keep security expectation and avoid users surprises with this configuration.
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release.
 
Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". -->
 
  
 
== Owner ==
 
== Owner ==
<!--
 
For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages.
 
This should link to your home wiki page so we know who you are.
 
-->
 
 
* Name: [[User:jjelen| Jakub Jelen]], OpenSSH maintainer
 
* Name: [[User:jjelen| Jakub Jelen]], OpenSSH maintainer
 
* Email: jjelen@redhat.com
 
* Email: jjelen@redhat.com
Line 33: Line 27:
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
-->
 
-->
* Tracker bug: <will be assigned by the Wrangler>
+
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1722928 #1722928]
 +
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/351 #351]
  
 
== Detailed Description ==
 
== Detailed Description ==
  
The OpenSSH server configuration contains a configuration option PermitRootLogin, which controls whether the root user is allowed to login using passwords or using public key authentication. The root login is target of most of the random or targeted attack on Linux systems and password is usually the weakest part. For that reason, the upstream OpenSSH changed this option in 2015 to `prohibit-password`, which still allows public-key authentication, but prevents the password logins. Fedora was for many practical reasons keeping the old configuration since then, but the difference is no longer bearable and might confuse users expecting the root logins will not be enabled out of the box.
+
The OpenSSH server configuration contains a configuration option `PermitRootLogin`, which controls whether the root user is allowed to login using passwords or using public key authentication. The root login is target of most of the random or targeted attack on Linux systems and password is usually the weakest part. For that reason, the upstream OpenSSH changed this option in 2015 to `prohibit-password`, which still allows public-key authentication, but prevents the password logins. Fedora was for many practical reasons keeping the old configuration since then, but the difference is no longer bearable and might confuse users expecting the root logins will not be enabled out of the box.
  
 
On the other hand, there is still a lot of infrastructure, installers and test instances that simply might depend on this configuration and therefore this change needs to go through the system-wide change so everyone is onboard.
 
On the other hand, there is still a lot of infrastructure, installers and test instances that simply might depend on this configuration and therefore this change needs to go through the system-wide change so everyone is onboard.
Line 46: Line 41:
  
 
== Scope ==
 
== Scope ==
* Proposal owners: Modify the default shipped sshd configuration in sshd_config to no longer include the PermitRootLogin yes option and advertise this change throughout Fedora.
+
* Proposal owners: Modify the default shipped sshd configuration in `sshd_config` to no longer include the `PermitRootLogin yes` option and advertise this change throughout Fedora.
 
 
 
* Other developers: Make sure their workflow does not include logging in as a root to ssh, otherwise modify that workflow
 
* Other developers: Make sure their workflow does not include logging in as a root to ssh, otherwise modify that workflow
 
+
** Anaconda installer proposed modifications
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
+
*** The kickstarts already support installing ssh authorized keys for root or other users
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
+
*** (must) The graphical installer will be modified to allow enabling the PermitRootLogin sshd option when desirable:  https://bugzilla.redhat.com/show_bug.cgi?id=1716282
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
+
*** (optional) Graphical installer will have a way to pull authorized_keys from github/other http server: https://bugzilla.redhat.com/show_bug.cgi?id=1716551
** [[Fedora_Program_Management/ReleaseBlocking/Fedora31|List of deliverables]]: N/A (there is no such list) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Release engineering: [https://pagure.io/releng/issues/8342]
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
+
** [[Fedora_Program_Management/ReleaseBlocking/Fedora31|List of deliverables]]: N/A (there is no such list)
  
 
* Policies and guidelines: none  
 
* Policies and guidelines: none  
Line 60: Line 54:
  
 
== Upgrade/compatibility impact ==
 
== Upgrade/compatibility impact ==
The updates of previously-modified sshd_config will not be affected and create a .rpmnew configuration file.
+
The updates of previously-modified `sshd_config` will not be affected and create a `.rpmnew` configuration file.
 +
 
 +
The updates of default `sshd_config` will be updated and the modification needs to be listed in release notes to prevent surprises.
 +
 
 +
If your `kickstarts` or `cloud-init` scripts required password root logins, you should consider moving to public key authentication (by storing your public key in the initialized system) or creating a different administrative users
  
The updates of default sshd_config will be updated and the modification needs to be listed in release notes to prevent surprises.
+
* [https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html?highlight=ssh#sshkey Installing public key to authorized kyes in pykickstart]
  
 
== How To Test ==
 
== How To Test ==
  
* Make sure you have root user with password and you can login to this user using su
+
* Make sure you have root user with password and you can login to this user using `su`
* Make sure the sshd_config does not contain PermitRootLogin yes option
+
* Make sure the sshd_config does not contain `PermitRootLogin yes` option
* Restart sshd service: systemctl restart sshd
+
* Restart sshd service: `systemctl restart sshd`
* Try to connect to root user: ssh -oPreferredAuthentications=password root@localhost
+
* Try to connect to root user: `ssh -oPreferredAuthentications=password root@localhost`
 
* Should fail
 
* Should fail
  
Line 96: Line 94:
  
  
[[Category:ChangePageIncomplete]]
+
[[Category:ChangeAcceptedF31]]
<!-- When your change proposal page is completed and ready for review and announcement -->
 
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
 
 
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
 
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
 
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
  
 
[[Category:SystemWideChange]]
 
[[Category:SystemWideChange]]

Latest revision as of 17:23, 22 July 2019

Disable Root Password Login in SSH

Summary

The upstream OpenSSH disabled password logins for root back in 2015. The Fedora should follow to keep security expectation and avoid users surprises with this configuration.

Owner

  • Name: Jakub Jelen, OpenSSH maintainer
  • Email: jjelen@redhat.com
  • Release notes owner:

Current status

Detailed Description

The OpenSSH server configuration contains a configuration option PermitRootLogin, which controls whether the root user is allowed to login using passwords or using public key authentication. The root login is target of most of the random or targeted attack on Linux systems and password is usually the weakest part. For that reason, the upstream OpenSSH changed this option in 2015 to prohibit-password, which still allows public-key authentication, but prevents the password logins. Fedora was for many practical reasons keeping the old configuration since then, but the difference is no longer bearable and might confuse users expecting the root logins will not be enabled out of the box.

On the other hand, there is still a lot of infrastructure, installers and test instances that simply might depend on this configuration and therefore this change needs to go through the system-wide change so everyone is onboard.

Benefit to Fedora

This will provide more secure Fedora installations out of the box and prevent inadvertently accessible root logins in the wild.

Scope

  • Proposal owners: Modify the default shipped sshd configuration in sshd_config to no longer include the PermitRootLogin yes option and advertise this change throughout Fedora.
  • Other developers: Make sure their workflow does not include logging in as a root to ssh, otherwise modify that workflow
  • Release engineering: [1]
  • Policies and guidelines: none
  • Trademark approval: none

Upgrade/compatibility impact

The updates of previously-modified sshd_config will not be affected and create a .rpmnew configuration file.

The updates of default sshd_config will be updated and the modification needs to be listed in release notes to prevent surprises.

If your kickstarts or cloud-init scripts required password root logins, you should consider moving to public key authentication (by storing your public key in the initialized system) or creating a different administrative users

How To Test

  • Make sure you have root user with password and you can login to this user using su
  • Make sure the sshd_config does not contain PermitRootLogin yes option
  • Restart sshd service: systemctl restart sshd
  • Try to connect to root user: ssh -oPreferredAuthentications=password root@localhost
  • Should fail

Other authentication methods (publickey, gssapi should not be affected)

User Experience

Nothing in production should really depend on root password logins in 2019. If it does, it is the time to change that (or explicitly allow it on the affected systems).

Dependencies

Installer and kickstarts depending on this functionality.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) Maintainer will revert the change to sshd_config if needed.
  • Contingency deadline: Beta freeze
  • Blocks release? no
  • Blocks product? no

Documentation

OpenSSH in Fedora 31 does not allow root logins using passwords by default.

Upstream release notes: http://www.openssh.com/txt/release-7.0

Release Notes

OpenSSH in Fedora 31 does not allow root logins using passwords by default.