Bug 1425285

Summary: sshd_config PermitRootLogin yes enabled by default
Product: [Fedora] Fedora Reporter: bugazi
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 25CC: bugazi, jjelen, mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-21 08:32:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bugazi 2017-02-21 05:29:40 UTC 
Description of problem: Post clean install of Fedora 25 via live USB, /etc/ssh/sshd_config file contains the following line (uncommented)

PermitRootLogin yes


Version-Release number of selected component (if applicable): OpenSSH 7.3pl
OpenSSL 1.0.2j-fips


How reproducible: I have reformatted/reinstalled thrice with same results


Steps to Reproduce:
1. Boot via live USB
2. Install to hard drive (automatic partitioning)
3. Reboot, sudo vi /etc/ssh/sshd_config

Actual results: line 46 of file is: PermitRootLogin yes


Expected results: PermitRootLogin no


Additional info: I verified SHA256 post ISO download successfully
Comment 1 Jakub Jelen 2017-02-21 08:32:40 UTC 
TL:DR; Not a bug. It is intentional.

Related bug from 2003:

https://bugzilla.redhat.com/show_bug.cgi?id=89216

Related Fedora Change draft, that was never completed:

https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

There are various pros of this setup, but cons are still automated setups without any other user created, which will cut users off. Also not all use cases require different users, but a root (IPA, testing, local network, ...). Interesting thread to read, which demonstrates why is that so:

https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html

This is still more for discussion on mailing list, with FESCO or Fedora Security Team if we would like to change that.

*** This bug has been marked as a duplicate of bug 89216 ***