#23 sshd: prevent root login using password by default
Opened 2 years ago by lkocman. Modified 9 months ago

Original bug report from Factory
https://bugzilla.suse.com/show_bug.cgi?id=1187537

This issue is to investivate what should be SLES and Leap default, and when do we introduce the change. Please be aware that this is risky without proper integration testing with SUSE's layered products (SUMA/salt). Our openQA test suites also depend on password login for root (e.g. s390x testing).

the openSUSE openssh package recently dropped a patch to be in line with upstream regarding root's ability to login using password (i.e. denied)

the openssh change said:

  • Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
    as root via password by default (is also upstream default). Comment
    indicates that this was a temporary meassure that we now had for
    five years, time to get rid of it (bsc#1173067)

If the installation is done over ssh (as is apparently done on all our s390 tests), we see the installation passing (e.g. installation-images had been adjusted to permit root login again), but after reboot, it is no longer possible to connect to the just installed system, as openssh denies logins for root

A sample test run:
https://openqa.opensuse.org/tests/1797534#step/reconnect_mgmt_console/10


Metadata Update from @lkocman:
- Custom field SUSE Jira adjusted to https://jira.suse.com/browse/OPENSUSE-47
- Issue tagged with: SLE

2 years ago

Metadata Update from @Pharaoh_Atem:
- Custom field openSUSE Bugzilla adjusted to https://bugzilla.opensuse.org/show_bug.cgi?id=1187537

2 years ago

Fedora did this some time ago as well. The way this was resolved there was that Anaconda was extended to be able to optionally configure allowing root login via SSH, unchecked by default:

fedora-34-anaconda-root-user-spoke.png

YaST could be extended in a similar way so that OpenQA can continue to configure it while it being disabled by default.

I left a note to engineering. Otherwise it seems that we won't change default until next major update. We'll set milestone once we hear back from engineering.

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: Next

2 years ago

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: None (was: Next)

2 years ago

Metadata Update from @lkocman:
- Issue assigned to lkocman
- Issue set to the milestone: Next

2 years ago

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: ALP (was: Next)

2 years ago

Metadata Update from @lkocman:
- Issue set to the milestone: 16.0 (was: ALP)

a year ago

Metadata Update from @lkocman:
- Custom field SUSE Jira - openSUSE adjusted to https://jira.suse.com/browse/PM-2745

a year ago

Metadata Update from @lkocman:
- Custom field SUSE Jira - SUSE Linux Enterprise adjusted to https://jira.suse.com/browse/PM-2745
- Custom field SUSE Jira - openSUSE adjusted to https://jira.suse.com/browse/OPENSUSE-47 (was: https://jira.suse.com/browse/PM-2745)

a year ago

Aiming for Leap 16.0 / ALP

Feature seem to be stuck at least on SLES 15 side.

Regarding ALP Micro we already have:
Current /usr/etc/*/sshd_config has
#PermitRootLogin probihit-password

Metadata Update from @lkocman:
- Issue set to the milestone: ALP Micro 1.0 (was: 16.0)

9 months ago

Login to comment on this ticket.

Metadata
Attachments 1