Due to a recent update on Javascript code a full page refresh on your browser might be needed.
Bug 1716282 - Fedora 31 will no longer allow remote root password logins using ssh anymore
Summary: Fedora 31 will no longer allow remote root password logins using ssh anymore
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-03 07:11 UTC by Jakub Jelen
Modified: 2019-10-29 15:29 UTC (History)
9 users (show)

Fixed In Version: anaconda-31.21-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-29 15:29:12 UTC
Type: Bug


Attachments (Terms of Use)

Description Jakub Jelen 2019-06-03 07:11:39 UTC
The proposed Fedora 31 change [1] is changing the default SSH configuration to not allow remote root ssh logins using passwords anymore. This will probably require few modifications to the user creation policies in Anaconda to prevent installation of inaccessible systems.

One of the solutions for this might be possibility to import public keys from different providers (github/gitlab) during installation (#1466) or some other way to import public keys, if the root logins are needed.

I am not sure whether some other policies will need to be changed, but let me know whether you will have some questions here or on the fedora-devel [2].

[1] https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
[2] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/OWEUJANOUFL4CYV3GJVZZQJOUA4QFPKZ/

Comment 1 Jakub Jelen 2019-06-19 08:39:10 UTC
Martin, can you (or somebody else from Anaconda) clarify what needs to be done for this change to be acceptable from anaconda PoV?

From the discussion in fesco issue [1] I understood that the MVP is to have some checkbox that would allow ssh root logins and that would create drop-in service file somehow along these lines:

[jjelen@t470s ~]$ cat /etc/systemd/system/sshd.service.d/anaconda.conf
[Service]
Environment=OPTIONS="-oPermitRootLogin=yes"

This will indeed require slight change in the UI/TUI and installer logic, but it should not be too complicated.

You also started discussion in the bug #1716551, where you already described what needs to be done. I do not see that bug as a requirement for this change to happen, but as something nice-to-have, which can happen later, but for now, the important thing is to agree on the scope so the change can be discussed in Fesco meeting.

[1] https://pagure.io/fesco/issue/2133

Comment 2 Martin Kolman 2019-06-19 14:08:11 UTC
(In reply to Jakub Jelen from comment #1)
> Martin, can you (or somebody else from Anaconda) clarify what needs to be
> done for this change to be acceptable from anaconda PoV?
> 
> From the discussion in fesco issue [1] I understood that the MVP is to have
> some checkbox that would allow ssh root logins and that would create drop-in
> service file somehow along these lines:
> 
> [jjelen@t470s ~]$ cat /etc/systemd/system/sshd.service.d/anaconda.conf
> [Service]
> Environment=OPTIONS="-oPermitRootLogin=yes"
> 
> This will indeed require slight change in the UI/TUI and installer logic,
> but it should not be too complicated.
I plan to start on this soon, so we have it in place well before branching.

> 
> You also started discussion in the bug #1716551, where you already described
> what needs to be done. I do not see that bug as a requirement for this
> change to happen, but as something nice-to-have, which can happen later, but
> for now, the important thing is to agree on the scope so the change can be
> discussed in Fesco meeting.
Indeed, this is potentially a nice addition, but the override checkbox is what I see as the
only must-have at the moment.

> 
> [1] https://pagure.io/fesco/issue/2133

Comment 3 Jakub Jelen 2019-06-19 15:28:46 UTC
Thank you for the update. I will update the fesco ticket so they have something to base their discussions upon.


If I understand it right, this does not affect Workstation installation, since its user creation is handled by the Gnome Initial setup after installation and the sshd is not allowed/installed in this product.

Here we are going to focus on the Server installation.


Checking the docs [1], there is also the inst.sshd, which allows to set up sshd server during installation and allowing the root logins for monitoring. I think this one will need also some modifications. I am actually not sure how is it used, but it should be taken care of too.

[1] https://anaconda-installer.readthedocs.io/en/latest/boot-options.html#inst-sshd

Comment 4 Owen Taylor 2019-06-21 16:08:17 UTC
I'd like to express some reservation about the idea of just adding a checkbox to Anaconda - a checkbox makes the user needs to think about "is this something I need or not" - but we're actually adding a checkbox that we think *nobody* should ever check, so that people don't complain that it's missing.

The use cases I can think of:

 * Workstation install - best not to create any users, and let gnome-initial-setup handle creating an admin user.

 * Workstation install for alternate edition/spin without gnome-initial-setup - just create an admin user

 * Server install with an admin user - just create an admin user

 * Server install without an admin user, that is being installed through the Anaconda interactively.

Only the last would ever require the checkbox, but it would be clearly better in that case to set a public ssh key (as in the initial comment here) - I think for the rarity of this use case, expecting the public key to be on a web url is reasonable.

On the other hand, the last case is *also* the only case where you should set a root password, so it's possible that adding a checkbox to the "set a root password" screen doesn't make things more confusing. Is that where the checkbox would be added?

Comment 5 Jakub Jelen 2019-06-24 08:51:54 UTC
Thank you for the comment. I would like to advocate here one more use case, when the checking this checkbox might make sense. This is a local throw-away testing VMs, where the security is not a problem and the users just need to connect there and having a root account is the simplest thing to achieve that.

Hopefully we will be able to implement also the ssh keys import, teach people to use it and then we can remove the checkbox some time later, but until then, this sounds like the least-intrusive thing we can do for users and for anaconda.

Comment 6 Martin Kolman 2019-07-01 19:53:47 UTC
PR: https://github.com/rhinstaller/anaconda/pull/2037

Comment 7 Vendula Poncova 2019-07-23 11:04:33 UTC
Fixed in a pull request: https://github.com/rhinstaller/anaconda/pull/2042

Comment 8 Ben Cotton 2019-08-13 16:51:11 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 9 Ben Cotton 2019-08-13 18:57:33 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 10 Jakub Jelen 2019-10-29 08:28:22 UTC
Should we close this bug as it is fixed in Fedora 31 already?


Note You need to log in before you can comment on or make changes to this bug.