----- Original Message -----
> = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
>
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
In the Server case, nearly every deployment is headless. Disabling
root
login to ssh by default would mean that many people would have no way to
get into the system at all. (Yes, we could force the creation of a
non-root user at install time, but this user would by necessity be an
administrator capable of becoming root via sudo, so the distinction
is... fuzzy).
No, there is an important conceptual distinction between logging in as a “hard-coded
technical account named root“ and logging in as a real person (or a bacula/ansible service
account, even if ultimately root-privileged through some mechanism), as soon as more than
one person has administrative access: attribution and accountability.
OTOH, the security distinction between brute-forcing (constant “root”+password) or
(username+password) is trivial enough that I don’t think the change as proposed makes
sense.
The only other approach I could see for the headless
servers would be mandating the enrollment in an identity domain at
installation time (such as to FreeIPA or Active Directory).
Neither of those approaches is anything like ideal,
I think we should eventually end up forcing _all_ logins (both remote and local) to
actually identify a security principal (i.e. have a local user set up or a domain
membership as a required step during installation). You are right that at this moment
this would not go smoothly; we should make it smooth enough first, and then just remove
the root password altogether to force going through a real account first.
(
https://lists.fedoraproject.org/pipermail/security/2014-December/002039.html )
We can also consider opening an RFE against realmd, so that if the
machine becomes enrolled in a domain, it disables the remote root login
by default. I'm not sure about that, however.
That seems like a fairly confusing combination of a mechanism (realmd as a tool “for
joining domains”) and distribution policy (Fedora prevents/recommends not to use logins
directly as root).
Mirek