Red Hat Bugzilla – Bug 620318
root login possible during kickstart via ssh
Last modified: 2014-09-30 19:39:27 EDT
Description of problem:
Its possible to ssh into a box during kickstart, as root with no password
required. This obviously means the box can be easily
compromised during build.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ssh -l root box
This is the same bug as reported for RHEL6 in report 585160, but clearly
the fix needs porting to Fedora too.
What probably should happen is that the login be optionally allowed
(for debugging kickstart; I find this useful today) but the password
supplied in hash-encrypted form from the pxelinux.cfg parameters, with
a default that allows no login.
Oh, just noticed this in 585160...
which addresses my suggestion already; just need the default fixed.
I believe this is already fixed in rawhide, but I can't find the commit offhand to confirm.
this has been fixed on the master branch by those commits:
4075fce519f00093f8fba76d51881c4f53bdccbe (fixes the kickstart sshpw command)
eb1a56726289175d236d7366c035d7fe33925918 (makes the ssh parameter work as expected)
2d39422b083cb546e69f713752360915e0f55dd3 (only start ssh with 'sshd' on the command line instead of whenever a KS is specified)
Fedora 14 will have all of those included.
This isn't actually fixed in Fedora 13, and this is a HUGE security problem. Now I'm wondering whether my Fedora 13 box may have been compromised during install. There is absolutely no way to tell.