Issue #23: sshd: prevent root login using password by default - features

leap / features

#23 sshd: prevent root login using password by default

Opened 2 years ago by lkocman. Modified 3 months ago

Original bug report from Factory
https://bugzilla.suse.com/show_bug.cgi?id=1187537

This issue is to investivate what should be SLES and Leap default, and when do we introduce the change. Please be aware that this is risky without proper integration testing with SUSE's layered products (SUMA/salt). Our openQA test suites also depend on password login for root (e.g. s390x testing).

the openSUSE openssh package recently dropped a patch to be in line with upstream regarding root's ability to login using password (i.e. denied)

the openssh change said:

Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
as root via password by default (is also upstream default). Comment
indicates that this was a temporary meassure that we now had for
five years, time to get rid of it (bsc#1173067)

If the installation is done over ssh (as is apparently done on all our s390 tests), we see the installation passing (e.g. installation-images had been adjusted to permit root login again), but after reboot, it is no longer possible to connect to the just installed system, as openssh denies logins for root

A sample test run:
https://openqa.opensuse.org/tests/1797534#step/reconnect_mgmt_console/10

Metadata Update from @lkocman:
- Custom field SUSE Jira adjusted to https://jira.suse.com/browse/OPENSUSE-47
- Issue tagged with: SLE

2 years ago

Metadata Update from @Pharaoh_Atem:
- Custom field openSUSE Bugzilla adjusted to https://bugzilla.opensuse.org/show_bug.cgi?id=1187537

2 years ago

Pharaoh_Atem commented 2 years ago

Fedora did this some time ago as well. The way this was resolved there was that Anaconda was extended to be able to optionally configure allowing root login via SSH, unchecked by default:

YaST could be extended in a similar way so that OpenQA can continue to configure it while it being disabled by default.

lkocman commented 2 years ago

I left a note to engineering. Otherwise it seems that we won't change default until next major update. We'll set milestone once we hear back from engineering.

Edited 2 years ago by lkocman

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: Next

2 years ago

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: None (was: Next)

2 years ago

Metadata Update from @lkocman:
- Issue assigned to lkocman
- Issue set to the milestone: Next

2 years ago

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: ALP (was: Next)

a year ago

Metadata Update from @lkocman:
- Issue set to the milestone: 16.0 (was: ALP)

4 months ago

Metadata Update from @lkocman:
- Custom field SUSE Jira - openSUSE adjusted to https://jira.suse.com/browse/PM-2745

3 months ago

Metadata Update from @lkocman:
- Custom field SUSE Jira - SUSE Linux Enterprise adjusted to https://jira.suse.com/browse/PM-2745
- Custom field SUSE Jira - openSUSE adjusted to https://jira.suse.com/browse/OPENSUSE-47 (was: https://jira.suse.com/browse/PM-2745)

3 months ago

lkocman commented 3 months ago

Aiming for Leap 16.0 / ALP

Metadata

Assignee

lkocman

Tags

Blocking

None

Depending on

None

Milestone

16.0

openSUSE Bugzilla

https://bugzilla.opensuse.org/show_bug.cgi?id=1187537

SUSE Jira - openSUSE

https://jira.suse.com/browse/OPENSUSE-47

SUSE Jira - SUSE Linux Enterprise

https://jira.suse.com/browse/PM-2745

Attachments 1

fedora-34-anaconda-root-user-spoke.png

Attached 2 years ago View Comment

leap / features

Source Code

#23 sshd: prevent root login using password by default Opened 2 years ago by lkocman. Modified 3 months ago

Close issue as:

Metadata

SLE

Attachments 1

#23 sshd: prevent root login using password by default

Opened 2 years ago by lkocman. Modified 3 months ago