Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Mon, May 3, 2021 at 1:12 PM Martin Kolman wrote: > > Good point & we got quite a few reactions for both keeping and removing > the option, so I'll create an official Fedora Change proposal. > Thanks! Feel free to reach out via email or IRC/Matrix if you have any questions. > I guess this can be considered a self-contained change, not a system- > wide one, right ? > Yes, I would call this a self-contained change. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
> On Thu, Apr 29, 2021 at 4:17 PM Martin Kolman I agree with this change, however it's the sort of thing that should > go through Fedora's Changes process: > https://docs.fedoraproject.org/en-US/program_management/changes_policy/ > > This gives it increased visibility within the Fedora contributor > community and with users. > > > Thanks, > BC Good point & we got quite a few reactions for both keeping and removing the option, so I'll create an official Fedora Change proposal. I guess this can be considered a self-contained change, not a system- wide one, right ? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Mon, May 3, 2021 at 11:14 AM Martin Kolman wrote: > > On Sat, 2021-05-01 at 23:23 +, patra...@gmail.com wrote: > > > On 4/30/21 10:23 AM, Richard W.M. Jones wrote: > > > > > > +1 > > > > > > in addition to, e.g., an _initial_ setup on a remote/headless box at > > > a VPS. > > > > Ubuntu Server installer handles this in a very nice way by allowing to > > import SSH keys from a GitHub account given a username, i.e. via an URL > > like this: https://github.com/patrakov.keys . Maybe it's a good idea to > > implement the same feature in Anaconda? > Sounds like a good idea - we would certainly accept PRs[0] adding > support for this to Anaconda in a robust manner. :) > > BTW, it seems to me that many developers also use GitLab and many > Fedora projects use Pagure as well. Maybe it would make sense to > support those as well, provided they have a suitable API available of > course. > We don't have an API for this yet in Pagure, but that's only because nobody has asked for it. Contributions are welcome to add an API route to fetch public keys for users. :) -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Sat, 2021-05-01 at 14:14 +, Wolfgang Ulbrich wrote: > Yes, why not adding an option to anaconda to create a personal ssh > key? > Same like amazon cloud does. > Eg. when you create a el8 server in AWS, AWS gives you an option to > create a ssh key before you finish the setup of this machine. > With that key you can later login to the root account of your AWS > server machine. So if I understand it correctly: - it creates a key pair - makes the provisioned machine thrust the publick key part of the pair - you transfer the private key to your machine and use it to talk to that one machine only Sounds like an interesting idea, although in the non-cloud environment I think the best thing the installer could do is to create the key pair and ann the public key to trusted keys. User would then have to do the rest (transfer the private key in a safe manner to his machine). Yet again, patches welcome, as I'm afraid its unlikely we would get to implementing something like this any time soon. > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Fri, 2021-04-30 at 15:33 -0400, DJ Delorie wrote: > > I normally would complain about taking options away from users, but > as I > typically use ssh for root *anyway*, I felt this wasn't appropriate > (although I have a friend who never uses ssh keys, always > password-over-ssh). > > I would, however, ask that the config file have a commented out > option > that re-enables it, with a suitable text comment clearly saying > "uncomment this to allow root passwords over ssh". You are talking about the SSH daemon config file, right ? Sounds like a good ideam to me, independent on the end result of this Anaconda related discussion so I suggest opening a RFE bug on the SSH daemon with this suggestion or even outright sending patches for the default config file. :) > > Perhaps that comment might be a good place to mention ssh-copy-id ? > > Such comments make the "best practices" much more discoverable > without > frustrating users who just want to make things work. > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Sat, 2021-05-01 at 08:32 +0200, Peter Boy wrote: > > > > Am 29.04.2021 um 22:09 schrieb Martin Kolman : > > > > Hi! > > At the moment the Anaconda installer used by Fedora contains an > > option > > called "Allow SSH root login with password" on the root password > > configuration screen. > > ... > > Note that the checkbox is not ticked by default, the user needs to > > make > > a conscious choice to allow this security problematic SSH login > > behavior. > > ... > > good time to finally drop the "Allow SSH root login with password" > > from > > the Anaconda GUI. > > I greatly appreciate Fedora's emphasis on establishing the most secure > system possible by default. It was one of my reasons to choose Fedora, > years ago. > > But what makes the Anaconda team think that the system administrator > could activate the option for no good reason, just for fun, > recklessness or the joy of 'adventure'? > > I don't mean to be unkind, but in my view you are about to patronize > the system administrator in a kind of missionary overzealousness. But > reading Fedora vision, Fedora is about Freedom, another good reason to > decide for it. Actually, it's the other way around - we believe in the administrator being a professional who can easily an on override via a kickstart if really needed, such as one described here: https://anaconda-installer.readthedocs.io/en/latest/common-bugs.html#enabling-root-password-ssh-login-via-password > > > If you are aware of some critical Fedora/Fedora spin usecase that > > depends on users regularly ticking this option, please let us know! > > No system administrator will 'regularly' ticking that option! That is > an unrealistic assumption. It is reserved for special exceptions > (that's why it is off by default). Others have already described such > cases. > > At the very least, I am in favor of leaving the option in the Server > Edition as it is. The option is currently not parametric in any way, but we do have per product/variant configuration files that encode differences from the Fedora baseline, such as the XFS based default partitioning for the Fedora Server variant: https://github.com/rhinstaller/anaconda/blob/master/data/product.d/fedora-server.conf#L14 So if consensus is reached for keeping the option available on Fedora Server variant only (ideally ACKEd by the Fedora Server SIG) it would be possible to show the option only in the Fedora Server installer variant, at the cost of some added code complexity. > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Sat, 2021-05-01 at 23:23 +, patra...@gmail.com wrote: > > On 4/30/21 10:23 AM, Richard W.M. Jones wrote: > > > > +1 > > > > in addition to, e.g., an _initial_ setup on a remote/headless box at > > a VPS. > > Ubuntu Server installer handles this in a very nice way by allowing to > import SSH keys from a GitHub account given a username, i.e. via an URL > like this: https://github.com/patrakov.keys . Maybe it's a good idea to > implement the same feature in Anaconda? Sounds like a good idea - we would certainly accept PRs[0] adding support for this to Anaconda in a robust manner. :) BTW, it seems to me that many developers also use GitLab and many Fedora projects use Pagure as well. Maybe it would make sense to support those as well, provided they have a suitable API available of course. [0] https://github.com/rhinstaller/anaconda > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
Once upon a time, Nico Kadel-Garcia said: > Local root passwords can be set to expire. SSH keys are not nearly so > easy to enforce expiration for, so there are some use cases. I've > used it for VM's at home, because I may not have my private SSH keys > on the other VM. I think you can set expiration on SSH certificates. For program-used keys (like for Ansible), I tend to add "from=" to limit the use of a key to specific connections. -- Chris Adams ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Thu, Apr 29, 2021 at 4:11 PM Martin Kolman wrote: > > Hi! > At the moment the Anaconda installer used by Fedora contains an option > called "Allow SSH root login with password" on the root password > configuration screen. > > This is how it looks like at the moment, on latest Fedora Rawhide > installer image: > > https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png > If you are aware of some critical Fedora/Fedora spin usecase that > depends on users regularly ticking this option, please let us know! Local root passwords can be set to expire. SSH keys are not nearly so easy to enforce expiration for, so there are some use cases. I've used it for VM's at home, because I may not have my private SSH keys on the other VM. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 5/1/21 8:02 PM, Chris Adams wrote: Once upon a time, PGNet Dev said: my $0.02 leave the root via password option, but simply DISABLE it by default, rather than REMOVING it. That's what is going to happen - the openssh-server package will follow upstream default (PermitRootLogin without-password), and Anaconda will drop the option of changing the sshd config. Sry, I meant _leave_ the *option* in Anaconda, but just ensure it's toggled OFF by default ( if that's not what it already does). But that's me. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
Once upon a time, PGNet Dev said: > my $0.02 > > leave the root via password option, but simply DISABLE it by default, rather > than REMOVING it. That's what is going to happen - the openssh-server package will follow upstream default (PermitRootLogin without-password), and Anaconda will drop the option of changing the sshd config. -- Chris Adams ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 5/1/21 7:23 PM, patra...@gmail.com wrote: On 4/30/21 10:23 AM, Richard W.M. Jones wrote: +1 in addition to, e.g., an _initial_ setup on a remote/headless box at a VPS. Ubuntu Server installer handles this in a very nice way by allowing to import SSH keys from a GitHub account given a username, i.e. via an URL like this: https://github.com/patrakov.keys . Maybe it's a good idea to implement the same feature in Anaconda? this is all getting too complicated. my $0.02 leave the root via password option, but simply DISABLE it by default, rather than REMOVING it. let admins worry about SSH keys. the 'rest' can be handled, as mentioned, with kickstart/ansible ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
Once upon a time, patra...@gmail.com said: > Ubuntu Server installer handles this in a very nice way by allowing to import > SSH keys from a GitHub account given a username, i.e. via an URL like this: > https://github.com/patrakov.keys . Maybe it's a good idea to implement the > same feature in Anaconda? I think dropping this is okay - Anaconda is an installer, and should do only the bare minimum required to set up the OS. The minimum for authentication is either setting a root password and/or creating an admin user and setting that password (or setting network authentication). There are multiple programs that offer network access, and only SSH gets configured (minimally) by Anaconda, which really doesn't make a lot of sense. This is the upstream default, so I expect it's the case on lots of other distributions/OSes. Especially now that sshd is configured to use /etc/sshd_config.d/*.conf, it's as easy as dropping a one-line file in there (no longer have to edit the existing sshd_config). If you're doing lots of installs (especially VMs), you probably should be using kickstart mode installs, which support setting an SSH key as well as post-install scripting (where you could tweak this). -- Chris Adams ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
> On 4/30/21 10:23 AM, Richard W.M. Jones wrote: > > +1 > > in addition to, e.g., an _initial_ setup on a remote/headless box at a VPS. Ubuntu Server installer handles this in a very nice way by allowing to import SSH keys from a GitHub account given a username, i.e. via an URL like this: https://github.com/patrakov.keys . Maybe it's a good idea to implement the same feature in Anaconda? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
Yes, why not adding an option to anaconda to create a personal ssh key? Same like amazon cloud does. Eg. when you create a el8 server in AWS, AWS gives you an option to create a ssh key before you finish the setup of this machine. With that key you can later login to the root account of your AWS server machine. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 4/30/21 3:21 PM, Richard W.M. Jones wrote: On Thu, Apr 29, 2021 at 10:09:12PM +0200, Martin Kolman wrote: Now fast forward to today, it's 2021, any use cases that needed password based root login via SSH had 2 more years to migrate while the amount of password guessing attacks certainly didn't get any lower. Not everything is exposed to the internet. Please leave the option, disabled by default and with a suitable warning if you like. +1 Removing this option is not helpful in a LAN. Ralf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
> Am 29.04.2021 um 22:09 schrieb Martin Kolman : > > Hi! > At the moment the Anaconda installer used by Fedora contains an option > called "Allow SSH root login with password" on the root password > configuration screen. > ... > Note that the checkbox is not ticked by default, the user needs to make > a conscious choice to allow this security problematic SSH login > behavior. > ... > good time to finally drop the "Allow SSH root login with password" from > the Anaconda GUI. I greatly appreciate Fedora's emphasis on establishing the most secure system possible by default. It was one of my reasons to choose Fedora, years ago. But what makes the Anaconda team think that the system administrator could activate the option for no good reason, just for fun, recklessness or the joy of 'adventure'? I don't mean to be unkind, but in my view you are about to patronize the system administrator in a kind of missionary overzealousness. But reading Fedora vision, Fedora is about Freedom, another good reason to decide for it. > If you are aware of some critical Fedora/Fedora spin usecase that > depends on users regularly ticking this option, please let us know! No system administrator will 'regularly' ticking that option! That is an unrealistic assumption. It is reserved for special exceptions (that's why it is off by default). Others have already described such cases. At the very least, I am in favor of leaving the option in the Server Edition as it is. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
I normally would complain about taking options away from users, but as I typically use ssh for root *anyway*, I felt this wasn't appropriate (although I have a friend who never uses ssh keys, always password-over-ssh). I would, however, ask that the config file have a commented out option that re-enables it, with a suitable text comment clearly saying "uncomment this to allow root passwords over ssh". Perhaps that comment might be a good place to mention ssh-copy-id ? Such comments make the "best practices" much more discoverable without frustrating users who just want to make things work. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Fri, 2021-04-30 at 20:42 +0200, Martin Kolman wrote: > On Fri, 2021-04-30 at 15:23 +0100, Richard W.M. Jones wrote: > > On Fri, Apr 30, 2021 at 03:37:54PM +0200, Vitaly Zaitsev via devel > > wrote: > > > On 30.04.2021 15:21, Richard W.M. Jones wrote: > > > > Not everything is exposed to the internet. Please leave the > > > > option, > > > > disabled by default and with a suitable warning if you like. > > > > > > Why are you still using passwords in 2021? SSH keys are much more > > > secure and easier to use. > > > > Because distributing SSH keys to temporary VMs is hard? Not > > everything is a long-lived machine connected to the internet. > What about creating an admin user instead ? It's effectively the same > ammount of clicks - instead of setting a root password and checking the > "Allow SSH root login with password" checkbox, create a regular user > and check the "make this user an admin" checkbox. > > Regular users, including users with admin (sudo/wheel) privileges, can > of course still login with password via SSH just fine. This is not useful to use things like rsync or scp/sftp to transfer files maintaining permissions/attributes/etc.. for doing quick local testing, development, or other ephemeral things this option is reasonable and there is no need to remove it. And also to run commands it is not great, if you end up using su/sudo without password, then you just made a process more complicated without adding much if any security. > > Rich. > > > > -- > > Richard Jones, Virtualization Group, Red Hat > > http://people.redhat.com/~rjones > > Read my programming and virtualization blog: > > http://rwmj.wordpress.com > > virt-top is 'top' for virtual machines. Tiny program with many > > powerful monitoring features, net stats, disk stats, logging, etc. > > http://people.redhat.com/~rjones/virt-top > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Simo Sorce RHEL Crypto Team Red Hat, Inc ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Fri, 2021-04-30 at 15:23 +0100, Richard W.M. Jones wrote: > On Fri, Apr 30, 2021 at 03:37:54PM +0200, Vitaly Zaitsev via devel > wrote: > > On 30.04.2021 15:21, Richard W.M. Jones wrote: > > > Not everything is exposed to the internet. Please leave the > > > option, > > > disabled by default and with a suitable warning if you like. > > > > Why are you still using passwords in 2021? SSH keys are much more > > secure and easier to use. > > Because distributing SSH keys to temporary VMs is hard? Not > everything is a long-lived machine connected to the internet. What about creating an admin user instead ? It's effectively the same ammount of clicks - instead of setting a root password and checking the "Allow SSH root login with password" checkbox, create a regular user and check the "make this user an admin" checkbox. Regular users, including users with admin (sudo/wheel) privileges, can of course still login with password via SSH just fine. > > Rich. > > -- > Richard Jones, Virtualization Group, Red Hat > http://people.redhat.com/~rjones > Read my programming and virtualization blog: > http://rwmj.wordpress.com > virt-top is 'top' for virtual machines. Tiny program with many > powerful monitoring features, net stats, disk stats, logging, etc. > http://people.redhat.com/~rjones/virt-top > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Fri, Apr 30, 2021 at 5:18 PM Vitaly Zaitsev via devel wrote: > > On 30.04.2021 16:23, Richard W.M. Jones wrote: > > Because distributing SSH keys to temporary VMs is hard? > > Kickstart + Ansible will fix all these issues. Or, perhaps, cloud-init, for those using that approach. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 30.04.2021 16:23, Richard W.M. Jones wrote: Because distributing SSH keys to temporary VMs is hard? Kickstart + Ansible will fix all these issues. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Thu, 2021-04-29 at 22:09 +0200, Martin Kolman wrote: > Hi! > At the moment the Anaconda installer used by Fedora contains an option > called "Allow SSH root login with password" on the root password > configuration screen. > > This is how it looks like at the moment, on latest Fedora Rawhide > installer image: > > https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png > > For some backstory - in 2015 the OpenSSH upstream decided to disable > password based root logins by default. This was done for security > reasons as an attacker needs to only guess password to gain access to > the root account. For a user account the attacker needs to guess both > the username and password and the user account not even have admin > privileges, making the remote password guessing attack both harder and > less useful. > > The Fedora OpenSSH package carried downstream patches to revert this > upstream change up until summer 2019 when it was decided to restore the > upstream behavior and drop the downstream patches as enough tools that > required password based SSH login have been migrated to use either key > authentication or user based login methods. > > Now back to the "Allow SSH root login with password" checkbox in > the installer GUI. :) > > The option was added in 2019 when Fedora disabled password based root > SSH login by default, as a temporary migration aid for users of the > graphical installer. > > Note that the checkbox is not ticked by default, the user needs to make > a conscious choice to allow this security problematic SSH login > behavior. > > Now fast forward to today, it's 2021, any use cases that needed > password based root login via SSH had 2 more years to migrate while the > amount of password guessing attacks certainly didn't get any lower. > > For that reason we in the Anaconda development team feel like it's a > good time to finally drop the "Allow SSH root login with password" from > the Anaconda GUI. > > If you are aware of some critical Fedora/Fedora spin usecase that > depends on users regularly ticking this option, please let us know! > > If no such critical usecase is found, we will proceed with removing the > option from the Anaconda GUI in a ~week from now in Rawhide. Hi, BTW while I want or like this feature when we are in a devel lab without internet . I think the approach was not the best (1) , because after enable root login with password , it is not easy disable it again. IMHO this feature should not create a new config file (CONFIG_PATH = "etc/sysconfig/sshd-permitrootlogin" ) but use the default one /etc/sysconfig/sshd (1) https://github.com/rhinstaller/anaconda/pull/2042/files > Best Wishes > Martin Kolman & the Anaconda team > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 4/30/21 10:23 AM, Richard W.M. Jones wrote: Because distributing SSH keys to temporary VMs is hard? Not everything is a long-lived machine connected to the internet. +1 in addition to, e.g., an _initial_ setup on a remote/headless box at a VPS. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Fri, Apr 30, 2021 at 03:37:54PM +0200, Vitaly Zaitsev via devel wrote: > On 30.04.2021 15:21, Richard W.M. Jones wrote: > >Not everything is exposed to the internet. Please leave the option, > >disabled by default and with a suitable warning if you like. > > Why are you still using passwords in 2021? SSH keys are much more > secure and easier to use. Because distributing SSH keys to temporary VMs is hard? Not everything is a long-lived machine connected to the internet. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
Hi! Le 4/29/21 à 10:09 PM, Martin Kolman a écrit : For that reason we in the Anaconda development team feel like it's a good time to finally drop the "Allow SSH root login with password" from the Anaconda GUI. Yes! I've thought to it in the past when I've submitted originally the "Lock root account" modification. Dropping this very insecure feature exposed from the installer is a very good idea. Best regards, Frédéric OpenPGP_signature Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 30.04.2021 15:21, Richard W.M. Jones wrote: Not everything is exposed to the internet. Please leave the option, disabled by default and with a suitable warning if you like. Why are you still using passwords in 2021? SSH keys are much more secure and easier to use. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On 29.04.2021 22:09, Martin Kolman wrote: At the moment the Anaconda installer used by Fedora contains an option called "Allow SSH root login with password" on the root password configuration screen. +1 for this change. Remote login as root with password is very insecure and should be dropped. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Thu, Apr 29, 2021 at 10:09:12PM +0200, Martin Kolman wrote: > Now fast forward to today, it's 2021, any use cases that needed > password based root login via SSH had 2 more years to migrate while the > amount of password guessing attacks certainly didn't get any lower. Not everything is exposed to the internet. Please leave the option, disabled by default and with a suitable warning if you like. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
On Thu, Apr 29, 2021 at 4:17 PM Martin Kolman wrote: > > For that reason we in the Anaconda development team feel like it's a > good time to finally drop the "Allow SSH root login with password" from > the Anaconda GUI. > > If you are aware of some critical Fedora/Fedora spin usecase that > depends on users regularly ticking this option, please let us know! > > If no such critical usecase is found, we will proceed with removing the > option from the Anaconda GUI in a ~week from now in Rawhide. > I agree with this change, however it's the sort of thing that should go through Fedora's Changes process: https://docs.fedoraproject.org/en-US/program_management/changes_policy/ This gives it increased visibility within the Fedora contributor community and with users. Thanks, BC -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Intention to dropping the the "Allow SSH root login with password" option from the installer GUI
Hi! At the moment the Anaconda installer used by Fedora contains an option called "Allow SSH root login with password" on the root password configuration screen. This is how it looks like at the moment, on latest Fedora Rawhide installer image: https://m4rtink.fedorapeople.org/screenshots/fedora/rawhide_f35/root_password_screen.png For some backstory - in 2015 the OpenSSH upstream decided to disable password based root logins by default. This was done for security reasons as an attacker needs to only guess password to gain access to the root account. For a user account the attacker needs to guess both the username and password and the user account not even have admin privileges, making the remote password guessing attack both harder and less useful. The Fedora OpenSSH package carried downstream patches to revert this upstream change up until summer 2019 when it was decided to restore the upstream behavior and drop the downstream patches as enough tools that required password based SSH login have been migrated to use either key authentication or user based login methods. Now back to the "Allow SSH root login with password" checkbox in the installer GUI. :) The option was added in 2019 when Fedora disabled password based root SSH login by default, as a temporary migration aid for users of the graphical installer. Note that the checkbox is not ticked by default, the user needs to make a conscious choice to allow this security problematic SSH login behavior. Now fast forward to today, it's 2021, any use cases that needed password based root login via SSH had 2 more years to migrate while the amount of password guessing attacks certainly didn't get any lower. For that reason we in the Anaconda development team feel like it's a good time to finally drop the "Allow SSH root login with password" from the Anaconda GUI. If you are aware of some critical Fedora/Fedora spin usecase that depends on users regularly ticking this option, please let us know! If no such critical usecase is found, we will proceed with removing the option from the Anaconda GUI in a ~week from now in Rawhide. Best Wishes Martin Kolman & the Anaconda team ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
