Bug 703917

Summary: Unauthenticated remote network login during install
Product: Red Hat Enterprise Linux 5 Reporter: Philip Rowlands <phr>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED WONTFIX QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.6   
Target Milestone: rc   
Target Release: ---   
Hardware: s390   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-18 19:42:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Philip Rowlands 2011-05-11 16:24:54 UTC 
During RHEL s390 installs, unauthenticated root access is provided over the network via telnet (xinetd) and ssh (sshd). For interactive installs this access is required for the first and second stage installer dialogs.

However, during unattended kickstart installations (where RUNKS=1 is specified), the ability to log in as root with no password is a potential security hole.

Suggested fix is to extend RUNKS or add a new variable to support the notion of "kickstart without network login".
Comment 1 David Cantrell 2011-05-18 19:42:29 UTC 
It's too late in the RHEL-5 development cycle to introduce a change like this.  We should address this first in Fedora, then a backport to the RHEL code can be determined.
Comment 2 Philip Rowlands 2011-05-27 12:25:37 UTC 
RHEL 5 is in the "Production 1" phase of the Life Cycle, but "qualified security errata" are issued even into "Production 3". 

If unauthenticated root login over the network isn't an important security issue, I don't know what is...