Bug 600768

Summary: sshd is running during kickstart install and there is no root password
Product: [Fedora] Fedora Reporter: François Cami <fdc>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 13CC: bcl, drjohnson1, edgar.hoch, fdc, pspencer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 600765 Environment:
Last Closed: 2010-06-07 14:16:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
kickstart to host to a server. none

Description François Cami 2010-06-05 22:58:35 UTC 
Created attachment 421512 [details]
kickstart to host to a server.

+++ This bug was initially created as a clone of Bug #600765 +++

Description of problem:
When doing a kickstart install, sshd is running and there is no root password, allowing unauthorized entry to the system during installation.

Version-Release number of selected component (if applicable):
Packages from Fedora 13 x86_64 GA

How reproducible:
Always

Steps to Reproduce:
1. Host an appropriate kickstart file (see attachment) via http on ksserver.example.com
2. Create a KVM virtual machine and boot it from the Fedora 13 x86_64 netinstall iso, add ks=http://ksserver.example.com/ks.filename to the installer CLI
4. When the installer has reached the package install stage, send CTRL+ALT+F2 to the VM and run ifconfig to get the VM's IP (vmIP)
5. Use a terminal on another host to run:
 $ ssh root@vmIP
  
Actual results:
$ ssh root.1.112
The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established.
RSA key fingerprint is 63:8a:cf:54:e3:35:e8:c5:da:f4:56:a5:e1:07:1b:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.112' (RSA) to the list of known hosts.
-bash-4.1#

Expected results:
Connection refused or a password prompt?

Additional info:
Dennis Johnson found that bug on F13.
Comment 1 Chris Lumens 2010-06-06 01:03:13 UTC 
No need to CC me.  I watch anaconda-maint-list.
Comment 2 Chris Lumens 2010-06-07 14:16:25 UTC 
This is fixed in rawhide, but it's too late for F13.
Comment 3 Edgar Hoch 2010-07-18 17:36:57 UTC 
Is there a workaround during kickstart install to either stop (or don't start) sshd or ensure that a password (the one supplied by "rootpw" in the kickstart file) is required? It is a security risk to do installations with an open sshd.

Is it possible to do this with an updates image?

Thanks in advance!
Comment 4 Brian Lane 2010-07-18 17:50:18 UTC 
Pass sshd=0 on the kernel cmdline to disable sshd during the install.
Comment 5 Philip Spencer 2010-07-30 02:43:54 UTC 
That does not work. And somebody should change the release FAQs, because there too it mistakenly says that you can pass sshd=0 on the kernel command line. That may work in rawhide or errata versions of anaconda, but not for the Fedora 13 release version.

Passing sshd=0 on the kernel command line does NOT work, because it is interpreted as the string '0' not the integer 0, and as a result python evaluates it as true not false.

What does work, though, is to pass sshd= on the kernel command line. This assigns the empty string to the sshd flag and then python treats it as false.
Comment 6 François Cami 2010-07-30 07:23:59 UTC 
I've updated
https://fedoraproject.org/wiki/Common_F13_bugs 

Thanks.