#23 sshd: prevent root login using password by default
Opened 5 months ago by lkocman. Modified 4 months ago

Original bug report from Factory
https://bugzilla.suse.com/show_bug.cgi?id=1187537

This issue is to investivate what should be SLES and Leap default, and when do we introduce the change. Please be aware that this is risky without proper integration testing with SUSE's layered products (SUMA/salt). Our openQA test suites also depend on password login for root (e.g. s390x testing).

the openSUSE openssh package recently dropped a patch to be in line with upstream regarding root's ability to login using password (i.e. denied)

the openssh change said:

  • Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
    as root via password by default (is also upstream default). Comment
    indicates that this was a temporary meassure that we now had for
    five years, time to get rid of it (bsc#1173067)

If the installation is done over ssh (as is apparently done on all our s390 tests), we see the installation passing (e.g. installation-images had been adjusted to permit root login again), but after reboot, it is no longer possible to connect to the just installed system, as openssh denies logins for root

A sample test run:
https://openqa.opensuse.org/tests/1797534#step/reconnect_mgmt_console/10


Metadata Update from @lkocman:
- Custom field SUSE Jira adjusted to https://jira.suse.com/browse/OPENSUSE-47
- Issue tagged with: SLE

5 months ago

Metadata Update from @Pharaoh_Atem:
- Custom field openSUSE Bugzilla adjusted to https://bugzilla.opensuse.org/show_bug.cgi?id=1187537

5 months ago

Fedora did this some time ago as well. The way this was resolved there was that Anaconda was extended to be able to optionally configure allowing root login via SSH, unchecked by default:

fedora-34-anaconda-root-user-spoke.png

YaST could be extended in a similar way so that OpenQA can continue to configure it while it being disabled by default.

I left a note to engineering. Otherwise it seems that we won't change default until next major update. We'll set milestone once we hear back from engineering.

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: Next

4 months ago

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: None (was: Next)

4 months ago

Metadata Update from @lkocman:
- Issue assigned to lkocman
- Issue set to the milestone: Next

4 months ago

Login to comment on this ticket.

Metadata
Attachments 1