Created attachment 421512 [details] kickstart to host to a server. +++ This bug was initially created as a clone of Bug #600765 +++ Description of problem: When doing a kickstart install, sshd is running and there is no root password, allowing unauthorized entry to the system during installation. Version-Release number of selected component (if applicable): Packages from Fedora 13 x86_64 GA How reproducible: Always Steps to Reproduce: 1. Host an appropriate kickstart file (see attachment) via http on ksserver.example.com 2. Create a KVM virtual machine and boot it from the Fedora 13 x86_64 netinstall iso, add ks=http://ksserver.example.com/ks.filename to the installer CLI 4. When the installer has reached the package install stage, send CTRL+ALT+F2 to the VM and run ifconfig to get the VM's IP (vmIP) 5. Use a terminal on another host to run: $ ssh root@vmIP Actual results: $ ssh root.1.112 The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established. RSA key fingerprint is 63:8a:cf:54:e3:35:e8:c5:da:f4:56:a5:e1:07:1b:10. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.112' (RSA) to the list of known hosts. -bash-4.1# Expected results: Connection refused or a password prompt? Additional info: Dennis Johnson found that bug on F13.
No need to CC me. I watch anaconda-maint-list.
This is fixed in rawhide, but it's too late for F13.
Is there a workaround during kickstart install to either stop (or don't start) sshd or ensure that a password (the one supplied by "rootpw" in the kickstart file) is required? It is a security risk to do installations with an open sshd. Is it possible to do this with an updates image? Thanks in advance!
Pass sshd=0 on the kernel cmdline to disable sshd during the install.
That does not work. And somebody should change the release FAQs, because there too it mistakenly says that you can pass sshd=0 on the kernel command line. That may work in rawhide or errata versions of anaconda, but not for the Fedora 13 release version. Passing sshd=0 on the kernel command line does NOT work, because it is interpreted as the string '0' not the integer 0, and as a result python evaluates it as true not false. What does work, though, is to pass sshd= on the kernel command line. This assigns the empty string to the sshd flag and then python treats it as false.
I've updated https://fedoraproject.org/wiki/Common_F13_bugs Thanks.