Bug 600768 - sshd is running during kickstart install and there is no root password
sshd is running during kickstart install and there is no root password
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
13
All Linux
high Severity high
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-05 18:58 EDT by François Cami
Modified: 2010-07-30 03:23 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 600765
Environment:
Last Closed: 2010-06-07 10:16:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
kickstart to host to a server. (1.12 KB, text/plain)
2010-06-05 18:58 EDT, François Cami
no flags Details

  None (edit)
Description François Cami 2010-06-05 18:58:35 EDT
Created attachment 421512 [details]
kickstart to host to a server.

+++ This bug was initially created as a clone of Bug #600765 +++

Description of problem:
When doing a kickstart install, sshd is running and there is no root password, allowing unauthorized entry to the system during installation.

Version-Release number of selected component (if applicable):
Packages from Fedora 13 x86_64 GA

How reproducible:
Always

Steps to Reproduce:
1. Host an appropriate kickstart file (see attachment) via http on ksserver.example.com
2. Create a KVM virtual machine and boot it from the Fedora 13 x86_64 netinstall iso, add ks=http://ksserver.example.com/ks.filename to the installer CLI
4. When the installer has reached the package install stage, send CTRL+ALT+F2 to the VM and run ifconfig to get the VM's IP (vmIP)
5. Use a terminal on another host to run:
 $ ssh root@vmIP
  
Actual results:
$ ssh root@192.168.1.112
The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established.
RSA key fingerprint is 63:8a:cf:54:e3:35:e8:c5:da:f4:56:a5:e1:07:1b:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.112' (RSA) to the list of known hosts.
-bash-4.1#

Expected results:
Connection refused or a password prompt?

Additional info:
Dennis Johnson found that bug on F13.
Comment 1 Chris Lumens 2010-06-05 21:03:13 EDT
No need to CC me.  I watch anaconda-maint-list.
Comment 2 Chris Lumens 2010-06-07 10:16:25 EDT
This is fixed in rawhide, but it's too late for F13.
Comment 3 Edgar Hoch 2010-07-18 13:36:57 EDT
Is there a workaround during kickstart install to either stop (or don't start) sshd or ensure that a password (the one supplied by "rootpw" in the kickstart file) is required? It is a security risk to do installations with an open sshd.

Is it possible to do this with an updates image?

Thanks in advance!
Comment 4 Brian Lane 2010-07-18 13:50:18 EDT
Pass sshd=0 on the kernel cmdline to disable sshd during the install.
Comment 5 Philip Spencer 2010-07-29 22:43:54 EDT
That does not work. And somebody should change the release FAQs, because there too it mistakenly says that you can pass sshd=0 on the kernel command line. That may work in rawhide or errata versions of anaconda, but not for the Fedora 13 release version.

Passing sshd=0 on the kernel command line does NOT work, because it is interpreted as the string '0' not the integer 0, and as a result python evaluates it as true not false.

What does work, though, is to pass sshd= on the kernel command line. This assigns the empty string to the sshd flag and then python treats it as false.
Comment 6 François Cami 2010-07-30 03:23:59 EDT
I've updated
https://fedoraproject.org/wiki/Common_F13_bugs 

Thanks.

Note You need to log in before you can comment on or make changes to this bug.