On 10/06/2016 04:02 AM, Jakub Jelen wrote:
On 10/03/2016 04:57 PM, Chris Murphy wrote:
Hi,
I'm noticing even with cockpit-0.117 in Fedora 24 Server, that it supports ssh key assignment for users. Since it's possible to login to cockpit out of the box, and setup ssh keys via the web interface, is it now practical to set these by default in the F26/F27 time frame? And if not, what additional work needs to be done?
Disable root logins with ssh /etc/ssh/sshd_config PermitRootLogin no
Disable root entirely (sudo -i still works) usermod -p '!' root
Disable password login with ssh (key only) /etc/ssh/sshd_config PasswordAuthentication no
In my case I use all three as pretty much the first step for a new Fedora 24 Server installation.
We have the RFE [1] to disable root login in OpenSSH for years (namely 13). Upstream already did that and set default to "prohibit-password", which is quite sane default, if you are able to set up the public keys in the installer or create some sudo-user you are good.
From the comments, it looks like expected deployments are still quite dependent on allowed root login by default (Ansible, even remote cockpit ...). The change was again requested few years ago [2], but didn't made it through the FESCO (rejected by Server SIG) [3].
The problem is not that specifically "root" must be enabled as "a remote user login capable of administrative privileges must be present", which in the majority of real-world deployments is functionally equivalent to root.
We haven't come up with a way that disabling remote root login isn't a huge burden on bootstrapping a new deployment.
From my point of view, this is the way we should go, but it needs to be organized across all the dependent consumers that rely on the root account enabled in SSH. Before doing that, we need to find some alternative how to do things there.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=89216 [2] https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no [3] https://fedorahosted.org/fesco/ticket/1386
Regards,