Bug 201794

Summary: Warn via Logwatch when sshd PermitRootLogin is in effect
Product: [Fedora] Fedora Reporter: Don Russell <fedora>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-09 03:04:56 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Don Russell 2006-08-08 17:09:33 EDT
Description of problem:
sshd allows root login by default. (/etc/ssh/sshd_config)
PermitRootLogin yes

When this is the case, I would like a new option to cause a warning that
Logwatch, perhaps:

PermitRootLoginWarn yes

If RootLogin is permitted by default, thewarning shuld be produced by default too.

Then sysadmins may either turn off the warning, or disallow root login. (or get
nagged daily :-) )


Version-Release number of selected component (if applicable):
4.3p2-4

How reproducible:
not applicable - enhancement request

Steps to Reproduce:
1. not applicable - enhancement request
2.
3.
  
Actual results:
currently a system has this exposure, and no warnings are produced.


Expected results:
Desired results: a warning in the Logwatch (SSHD section) so an informed
decision is made... yes, allow that; no, turn it off.

Additional info:

For various reasons it seems allowing root acess by default is desirable...
that's fine.... I'm not asking to change the default. But it would be beneficial
to bring that little gem to sysadmins' attention by including a warning in the
Logwatch report.

I would like to see something in my Logwatch report (SSHD section) like:
Warning: root access is allowed via ssh. Ref /etc/ssh/sshd_config

Then obviously the proper action can be taken:
1 - turn off the warning (yes, I know, I want that)
2 - deny root logon (say what?! Thanks for telling me, I'll stop that right now)

:-)
Comment 1 Tomas Mraz 2006-08-09 03:04:56 EDT
1. This feature is nice to have however I don't think this is a feature we must
have otherwise we are not enough secure or that this functionality is really
required for ssh to work properly.

2. We try to keep as close to upstream as possible.

Given 1. and 2., could you please report this enhancement request to upstream
bugzilla.mindrot.org.

Also there is no need for another configuration option as there could be another
value 'warn' for the existing PermitRootLogin option which would be assigned by
default.
Comment 2 Don Russell 2006-08-09 12:40:02 EDT
Bug/rfe created upstream...
Ref. http://bugzilla.mindrot.org/show_bug.cgi?id=1216

Thanks