Bug 620318 - root login possible during kickstart via ssh
Summary: root login possible during kickstart via ssh
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
(Show other bugs)
Version: 13
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Ales Kozumplik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-02 07:19 UTC by Ian Donaldson
Modified: 2014-09-30 23:39 UTC (History)
5 users (show)

Fixed In Version: anaconda-14.8-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-03 08:14:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ian Donaldson 2010-08-02 07:19:24 UTC
Description of problem:

Its possible to ssh into a box during kickstart, as root with no password
required.  This obviously means the box can be easily
compromised during build.


Version-Release number of selected component (if applicable):

anaconda-13.42-1.fc13.i686


How reproducible:

100%


Steps to Reproduce:
1. ssh -l root box
2.
3.
  
Actual results:

box# 


Expected results:

Login denied


This is the same bug as reported for RHEL6 in report 585160, but clearly
the fix needs porting to Fedora too.


Additional info:

What probably should happen is that the login be optionally allowed 
(for debugging kickstart; I find this useful today) but the password
supplied in hash-encrypted form from the pxelinux.cfg parameters, with
a default that allows no login.

Comment 1 Ian Donaldson 2010-08-02 07:26:12 UTC
Oh, just noticed this in 585160...

https://fedoraproject.org/wiki/Anaconda/Kickstart#sshpw

which addresses my suggestion already; just need the default fixed.

Comment 2 Chris Lumens 2010-08-02 13:27:13 UTC
I believe this is already fixed in rawhide, but I can't find the commit offhand to confirm.

Comment 3 Ales Kozumplik 2010-08-03 08:14:04 UTC
Yes,

this has been fixed on the master branch by those commits:
4075fce519f00093f8fba76d51881c4f53bdccbe (fixes the kickstart sshpw command)
eb1a56726289175d236d7366c035d7fe33925918 (makes the ssh parameter work as expected)
2d39422b083cb546e69f713752360915e0f55dd3 (only start ssh with 'sshd' on the command line instead of whenever a KS is specified)

Fedora 14 will have all of those included.

Comment 4 Andrew McNabb 2010-09-03 16:44:25 UTC
This isn't actually fixed in Fedora 13, and this is a HUGE security problem.  Now I'm wondering whether my Fedora 13 box may have been compromised during install.  There is absolutely no way to tell.


Note You need to log in before you can comment on or make changes to this bug.