Bug 600768 - sshd is running during kickstart install and there is no root password
Summary: sshd is running during kickstart install and there is no root password
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda   
(Show other bugs)
Version: 13
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-05 22:58 UTC by François Cami
Modified: 2010-07-30 07:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 600765
Environment:
Last Closed: 2010-06-07 14:16:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
kickstart to host to a server. (1.12 KB, text/plain)
2010-06-05 22:58 UTC, François Cami
no flags Details

Description François Cami 2010-06-05 22:58:35 UTC
Created attachment 421512 [details]
kickstart to host to a server.

+++ This bug was initially created as a clone of Bug #600765 +++

Description of problem:
When doing a kickstart install, sshd is running and there is no root password, allowing unauthorized entry to the system during installation.

Version-Release number of selected component (if applicable):
Packages from Fedora 13 x86_64 GA

How reproducible:
Always

Steps to Reproduce:
1. Host an appropriate kickstart file (see attachment) via http on ksserver.example.com
2. Create a KVM virtual machine and boot it from the Fedora 13 x86_64 netinstall iso, add ks=http://ksserver.example.com/ks.filename to the installer CLI
4. When the installer has reached the package install stage, send CTRL+ALT+F2 to the VM and run ifconfig to get the VM's IP (vmIP)
5. Use a terminal on another host to run:
 $ ssh root@vmIP
  
Actual results:
$ ssh root@192.168.1.112
The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established.
RSA key fingerprint is 63:8a:cf:54:e3:35:e8:c5:da:f4:56:a5:e1:07:1b:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.112' (RSA) to the list of known hosts.
-bash-4.1#

Expected results:
Connection refused or a password prompt?

Additional info:
Dennis Johnson found that bug on F13.

Comment 1 Chris Lumens 2010-06-06 01:03:13 UTC
No need to CC me.  I watch anaconda-maint-list.

Comment 2 Chris Lumens 2010-06-07 14:16:25 UTC
This is fixed in rawhide, but it's too late for F13.

Comment 3 Edgar Hoch 2010-07-18 17:36:57 UTC
Is there a workaround during kickstart install to either stop (or don't start) sshd or ensure that a password (the one supplied by "rootpw" in the kickstart file) is required? It is a security risk to do installations with an open sshd.

Is it possible to do this with an updates image?

Thanks in advance!

Comment 4 Brian Lane 2010-07-18 17:50:18 UTC
Pass sshd=0 on the kernel cmdline to disable sshd during the install.

Comment 5 Philip Spencer 2010-07-30 02:43:54 UTC
That does not work. And somebody should change the release FAQs, because there too it mistakenly says that you can pass sshd=0 on the kernel command line. That may work in rawhide or errata versions of anaconda, but not for the Fedora 13 release version.

Passing sshd=0 on the kernel command line does NOT work, because it is interpreted as the string '0' not the integer 0, and as a result python evaluates it as true not false.

What does work, though, is to pass sshd= on the kernel command line. This assigns the empty string to the sshd flag and then python treats it as false.

Comment 6 François Cami 2010-07-30 07:23:59 UTC
I've updated
https://fedoraproject.org/wiki/Common_F13_bugs 

Thanks.


Note You need to log in before you can comment on or make changes to this bug.