On 10/06/2016 04:02 AM, Jakub Jelen wrote:
On 10/03/2016 04:57 PM, Chris Murphy wrote:
> Hi,
>
> I'm noticing even with cockpit-0.117 in Fedora 24 Server, that it
> supports ssh key assignment for users. Since it's possible to login to
> cockpit out of the box, and setup ssh keys via the web interface, is
> it now practical to set these by default in the F26/F27 time frame?
> And if not, what additional work needs to be done?
>
>
> Disable root logins with ssh
> /etc/ssh/sshd_config PermitRootLogin no
>
> Disable root entirely (sudo -i still works)
> usermod -p '!' root
>
> Disable password login with ssh (key only)
> /etc/ssh/sshd_config PasswordAuthentication no
>
> In my case I use all three as pretty much the first step for a new
> Fedora 24 Server installation.
We have the RFE [1] to disable root login in OpenSSH for years (namely 13).
Upstream already did that and set default to "prohibit-password", which is
quite
sane default, if you are able to set up the public keys in the installer or
create some sudo-user you are good.
From the comments, it looks like expected deployments are still quite dependent
on allowed root login by default (Ansible, even remote cockpit ...). The change
was again requested few years ago [2], but didn't made it through the FESCO
(rejected by Server SIG) [3].
The problem is not that specifically "root" must be enabled as "a remote
user
login capable of administrative privileges must be present", which in the
majority of real-world deployments is functionally equivalent to root.
We haven't come up with a way that disabling remote root login isn't a huge
burden on bootstrapping a new deployment.
From my point of view, this is the way we should go, but it needs to
be
organized across all the dependent consumers that rely on the root account
enabled in SSH. Before doing that, we need to find some alternative how to do
things there.
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=89216
[2]
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
[3]
https://fedorahosted.org/fesco/ticket/1386
Regards,