Bug 1425285 - sshd_config PermitRootLogin yes enabled by default
Summary: sshd_config PermitRootLogin yes enabled by default
Status: CLOSED DUPLICATE of bug 89216
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 25
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-21 05:29 UTC by bugazi
Modified: 2017-02-21 08:32 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-02-21 08:32:40 UTC


Attachments (Terms of Use)

Description bugazi 2017-02-21 05:29:40 UTC
Description of problem: Post clean install of Fedora 25 via live USB, /etc/ssh/sshd_config file contains the following line (uncommented)

PermitRootLogin yes


Version-Release number of selected component (if applicable): OpenSSH 7.3pl
OpenSSL 1.0.2j-fips


How reproducible: I have reformatted/reinstalled thrice with same results


Steps to Reproduce:
1. Boot via live USB
2. Install to hard drive (automatic partitioning)
3. Reboot, sudo vi /etc/ssh/sshd_config

Actual results: line 46 of file is: PermitRootLogin yes


Expected results: PermitRootLogin no


Additional info: I verified SHA256 post ISO download successfully

Comment 1 Jakub Jelen 2017-02-21 08:32:40 UTC
TL:DR; Not a bug. It is intentional.

Related bug from 2003:

https://bugzilla.redhat.com/show_bug.cgi?id=89216

Related Fedora Change draft, that was never completed:

https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

There are various pros of this setup, but cons are still automated setups without any other user created, which will cut users off. Also not all use cases require different users, but a root (IPA, testing, local network, ...). Interesting thread to read, which demonstrates why is that so:

https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html

This is still more for discussion on mailing list, with FESCO or Fedora Security Team if we would like to change that.

*** This bug has been marked as a duplicate of bug 89216 ***


Note You need to log in before you can comment on or make changes to this bug.