Description of problem: Its possible to ssh into a box during kickstart, as root with no password required. This obviously means the box can be easily compromised during build. Version-Release number of selected component (if applicable): anaconda-13.42-1.fc13.i686 How reproducible: 100% Steps to Reproduce: 1. ssh -l root box 2. 3. Actual results: box# Expected results: Login denied This is the same bug as reported for RHEL6 in report 585160, but clearly the fix needs porting to Fedora too. Additional info: What probably should happen is that the login be optionally allowed (for debugging kickstart; I find this useful today) but the password supplied in hash-encrypted form from the pxelinux.cfg parameters, with a default that allows no login.
Oh, just noticed this in 585160... https://fedoraproject.org/wiki/Anaconda/Kickstart#sshpw which addresses my suggestion already; just need the default fixed.
I believe this is already fixed in rawhide, but I can't find the commit offhand to confirm.
Yes, this has been fixed on the master branch by those commits: 4075fce519f00093f8fba76d51881c4f53bdccbe (fixes the kickstart sshpw command) eb1a56726289175d236d7366c035d7fe33925918 (makes the ssh parameter work as expected) 2d39422b083cb546e69f713752360915e0f55dd3 (only start ssh with 'sshd' on the command line instead of whenever a KS is specified) Fedora 14 will have all of those included.
This isn't actually fixed in Fedora 13, and this is a HUGE security problem. Now I'm wondering whether my Fedora 13 box may have been compromised during install. There is absolutely no way to tell.