|
|
Subscribe / Log in / New account

F22 System Wide Change: Set sshd(8) PermitRootLogin=no

[Posted February 4, 2015 by jake]

From:  Jaroslav Reznik <jreznik-AT-redhat.com>
To:  devel-announce-AT-lists.fedoraproject.org
Subject:  F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Date:  Thu, 08 Jan 2015 13:42:18 +0100
Message-ID:  <3829459.87llESXiCC__36035.5637422346$1420721133$gmane$org@dhcp-0-163.brq.redhat.com>

= Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLog...

Change owner(s): P J P <pjp@fedoraproject.org> and Fedora Security Team

To disable remote root login facility in sshd(8) by default. 

== Detailed Description ==
Sshd(8) daemon allows remote users to login as 'root' by default. This 
provides remote attackers an option to brute force their way into a system. 
Empirically it is observed that many users use their systems via 'root' login, 
without creating non-root user and often have weak passwords for this mighty 
account. sshd_config(5) has an option 'PermitRootLogin=yes|no' which controls 
sshd(8) behaviour; it is set to be 'Yes' by default. Disabling remote root 
login by setting PermitRootLogin=no would help to harden Fedora systems, 
moving it an inch closer towards 'secure by default' future. Users can have 
non-root accounts with weak passwords too, yet disabling remote root login 
keeps an attacker a step away from getting full control on a system. There is 
another option of disabling user login via password and require usage of 
cryptographic keys for the same. But that could a next step in future.

Please see -> https://lists.fedoraproject.org/pipermail/devel/2014-Nove... 

== Scope ==
* Proposal owners: to communicate with the Fedora maintainers of packages: 
Anaconda, OpenSSH, GNOME, etc.
* Other developers: packages like Anaconda, GNOME etc. need to update their 
workflow to enable compulsory non-root user account creation and ensure good 
password strength for it.
* Release engineering: installer needs to ensure creation of non-root user 
account with strong password. Similarly, all Fedora images must be created 
with a non-root user account.
* Policies and guidelines: unknown yet.
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-an...
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

to post comments


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds