Red Hat Bugzilla – Bug 600768
sshd is running during kickstart install and there is no root password
Last modified: 2010-07-30 03:23:59 EDT
Created attachment 421512 [details]
kickstart to host to a server.
+++ This bug was initially created as a clone of Bug #600765 +++
Description of problem:
When doing a kickstart install, sshd is running and there is no root password, allowing unauthorized entry to the system during installation.
Version-Release number of selected component (if applicable):
Packages from Fedora 13 x86_64 GA
Steps to Reproduce:
1. Host an appropriate kickstart file (see attachment) via http on ksserver.example.com
2. Create a KVM virtual machine and boot it from the Fedora 13 x86_64 netinstall iso, add ks=http://ksserver.example.com/ks.filename to the installer CLI
4. When the installer has reached the package install stage, send CTRL+ALT+F2 to the VM and run ifconfig to get the VM's IP (vmIP)
5. Use a terminal on another host to run:
$ ssh root@vmIP
$ ssh firstname.lastname@example.org
The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established.
RSA key fingerprint is 63:8a:cf:54:e3:35:e8:c5:da:f4:56:a5:e1:07:1b:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.112' (RSA) to the list of known hosts.
Connection refused or a password prompt?
Dennis Johnson found that bug on F13.
No need to CC me. I watch anaconda-maint-list.
This is fixed in rawhide, but it's too late for F13.
Is there a workaround during kickstart install to either stop (or don't start) sshd or ensure that a password (the one supplied by "rootpw" in the kickstart file) is required? It is a security risk to do installations with an open sshd.
Is it possible to do this with an updates image?
Thanks in advance!
Pass sshd=0 on the kernel cmdline to disable sshd during the install.
That does not work. And somebody should change the release FAQs, because there too it mistakenly says that you can pass sshd=0 on the kernel command line. That may work in rawhide or errata versions of anaconda, but not for the Fedora 13 release version.
Passing sshd=0 on the kernel command line does NOT work, because it is interpreted as the string '0' not the integer 0, and as a result python evaluates it as true not false.
What does work, though, is to pass sshd= on the kernel command line. This assigns the empty string to the sshd flag and then python treats it as false.