Bug 620318 - root login possible during kickstart via ssh
Summary: root login possible during kickstart via ssh
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ales Kozumplik
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-02 07:19 UTC by Ian Donaldson
Modified: 2014-09-30 23:39 UTC (History)
5 users (show)

Clone Of:
Last Closed: 2010-08-03 08:14:04 UTC

Attachments (Terms of Use)

Description Ian Donaldson 2010-08-02 07:19:24 UTC
Description of problem:

Its possible to ssh into a box during kickstart, as root with no password
required.  This obviously means the box can be easily
compromised during build.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. ssh -l root box
Actual results:


Expected results:

Login denied

This is the same bug as reported for RHEL6 in report 585160, but clearly
the fix needs porting to Fedora too.

Additional info:

What probably should happen is that the login be optionally allowed 
(for debugging kickstart; I find this useful today) but the password
supplied in hash-encrypted form from the pxelinux.cfg parameters, with
a default that allows no login.

Comment 1 Ian Donaldson 2010-08-02 07:26:12 UTC
Oh, just noticed this in 585160...


which addresses my suggestion already; just need the default fixed.

Comment 2 Chris Lumens 2010-08-02 13:27:13 UTC
I believe this is already fixed in rawhide, but I can't find the commit offhand to confirm.

Comment 3 Ales Kozumplik 2010-08-03 08:14:04 UTC

this has been fixed on the master branch by those commits:
4075fce519f00093f8fba76d51881c4f53bdccbe (fixes the kickstart sshpw command)
eb1a56726289175d236d7366c035d7fe33925918 (makes the ssh parameter work as expected)
2d39422b083cb546e69f713752360915e0f55dd3 (only start ssh with 'sshd' on the command line instead of whenever a KS is specified)

Fedora 14 will have all of those included.

Comment 4 Andrew McNabb 2010-09-03 16:44:25 UTC
This isn't actually fixed in Fedora 13, and this is a HUGE security problem.  Now I'm wondering whether my Fedora 13 box may have been compromised during install.  There is absolutely no way to tell.

Note You need to log in before you can comment on or make changes to this bug.