Bug 171595 - Default Install Allows Direct Root Access
Default Install Allows Direct Root Access
Status: CLOSED DUPLICATE of bug 89216
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-24 00:36 EDT by Chris Nystrom
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-24 03:44:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Nystrom 2005-10-24 00:36:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

Description of problem:
The default configuration allows direct root login access. The blackhats apparently know this, because I noticed dictionary attacks on my root login from many locations around the world over a period of time. Since there is nothing special about my systems, I assume this is a widespread problem.

I believe better practice would be to have the direct root login disabled. A firewall can mitigate this issue, but I believe it is poor practice to rely only on the firewall for protection. The system should be delivered secure.

I believe that implementing this fix will not cause any undo restriction as legitimate users can easily login via unprivledged accounts and su to root.

Also I note that Solaris is delivered with direct ssh login to root disabled. 


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install FC4
2. Login via OpenSSH direct to root.
3. Unfortunately it works.
  

Actual Results:  You have root access to the machine.

Expected Results:  Login should be denied, forcing you to login via a non-privledged account and su to root. Users who need direct login to root can easily re-enable this feature.

Additional info:
Comment 1 Tomas Mraz 2005-10-24 03:44:06 EDT

*** This bug has been marked as a duplicate of 89216 ***

Note You need to log in before you can comment on or make changes to this bug.