Red Hat Bugzilla – Bug 136289
sshd on by default after install
Last modified: 2007-11-30 17:10:52 EST
Description of problem: Please read my rant and discussion about this in the link above. When I installed fc3t3 I noticed that ssh was enables by default. You may think thats its not a big problem becuase the firewall is also enabled, but if you read the thread I linked to you will have several examples where the firewall being enabled doesn't save the newbies. Can someone please explain why such a security risk is enabled? You (the developers) did not even disable remote root login. If you some how deem it to not be a security risk, it is a service that just waste resources by being. Isn't it good policy to disable services you aren't using? Before you post your rebuttals, please read this thread where the community discussed the matter: http://www.fedoraforum.org/forum/showthread.php?t=25041 Version-Release number of selected component (if applicable): How reproducible: Everytime Steps to Reproduce: 1. Choose custom install (haven't tested on the other methods) 2. Check services after complete install 3. Be distressed that sshd is enabled Actual results: Was distressed to find sshd enabled Expected results: A secure system that only has the necessary services running Additional info: I am certain this problem started long before fc3t3, but that when I noticed it because I was searching for bugs.
> Can someone please explain why such a security risk is enabled? You > (the developers) did not even disable remote root login. Keep in mind that it's possible to run Anaconda remotely (i.e. miles away from the computer that's actually being installed). In that case, if sshd is disabled by default then there's no way to enable sshd (or to do *anything* else administratively once the installer finishes). If remote root logins are disabled, there's no way to create a non-root account, nor configure NIS and get a non-root account that way. So, sshd can't just be disabled by default on all installs. Perhaps, as some have suggested in the discussion thread you linked to, there needs to be another screen in anaconda for configuring this. Actually, I just realized that it may only need to be a single "Allow remote login" checkbox, rather than being a full screen of its own. (Or maybe two checkboxes, "Allow remote login" and "allow remote root login".)
Bare with me... Let me get this striaght. Its enabled by default so someone can do a remote install, but the firewall blocks port 22 by default. So isn't remote access disabled already? Are you assuming the advanced users, which are doing remote installs know to open ssh during the firewall config section of anacanda? If that is the case, then shouldn't the sshd service be enabled only if they choose to open the ssh ports, or there shoould be a page to configure services before the firewall page. Or perhaps the service configuration page should be on the firstboot program. Anaconda should be configured to protect the newbie, not aid the already knowledgeable admin. A lot of newbies will disable the firewall so they don't have to deal with two firewall if they have a router to share thier internet connection. Plus, many have poorly secured wifi networks that anyone could break into to steal bandwidth, and with sshd enabled thier data could be stolen. This is unlikely to result in a compromise, but we cannot base security on probability. Having check boxes to enable sshd is a good start, but it only treats the immediate problem. Having a page to configure all services would be best. As suggested in the thread I linked to, it should be a page that newbies don't have to deal with. Perhaps an "Advanced Setup" page or series of pages. This would be beneficial to those using kickstart files becuase they usually have to manually configure the services after installation, which defeats the purpose of automatic configuration. (I have not used kickstart, so it already may be possible to already configure other options that are not done through anacanda.) (Slightly off topic) Apart from security, this would help fedora be more lean. Many complain that a default fedora setup runs much slower than other distros. Fedora shouldn't enable about 30% of the services it currently does.
> Let me get this striaght. Its enabled by default so someone can do a > remote install, but the firewall blocks port 22 by default. So isn't > remote access disabled already? > > Are you assuming the advanced users, which are doing remote installs > know to open ssh during the firewall config section of anacanda? Either open ssh or disable the firewall altogether (depending on the circumstances, etc.), yes. (When you're running anaconda remotely, and you're not using kickstart, you still get to see and interact with all the dialog boxes that you get when you're installing locally.) > If > that is the case, then shouldn't the sshd service be enabled only if > they choose to open the ssh ports, or there shoould be a page to > configure services before the firewall page. Or perhaps the service > configuration page should be on the firstboot program. There are some situations where you might need ssh enabled with the firewall disabled, but I guess it'd be OK (it would be OK with me anyway) to require admins to enable the firewall, allow SSH, and then manually disable/replace/whatever the firewall over SSH after rebooting into the installed system. FWIW there's already a config tool for enabling/disabling services (system-config-services). I guess a page for it could be added to firstboot, although anyone who really needs it should be able to run it after firstboot themselves, as far as I can see. (IOW I'm suggesting that there should be something more basic for handling SSH, whether it's automatically enabling/disabling it based on the firewall setting, or adding a separate SSH checkbox somewhere in anaconda or firstboot.)
We have to support headless installs so there would have to be some way how to enable the sshd in anaconda. As the dependency bug was closed without fix I have to close this one too. Firewall is on by default and user who is clueless enough to enable access to sshd on firewall and have a weak root password will surely find other ways how to make his machine vulnerable to attacks anyway.