Announcement

Collapse
No announcement yet.

Fedora 22 Might Disable Root Remote Logins By Default

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Fedora 22 Might Disable Root Remote Logins By Default

    Phoronix: Fedora 22 Might Disable Root Remote Logins By Default

    In the name of security, it's been proposed for Fedora 22 to disabler remote log-ins in the SSH daemon by default...

    Fedora 22 Might Disable Root Remote Logins By Default - Phoronix
    http://www.phoronix.com/vr.php?view=MTg4Mzc
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    It should be, anyway. haha.

    Comment

    • #3
      Wait, they're only doing this now? This has been the default at every company I've worked for since the 90's, and it's the way I run all of my home servers, too. There is very little reason for direct root logins, via ssh or otherwise.

      I'm surprised there's been push-back on this. They're not disabling root logins on SSH permanently, just removing it from the default install. Anybody who is concerned about logging into a Linux server as root via ssh should not have a problem editing sshd_config and changing the PermitRootLogin parameter.

      I'm not a Fedora person, so I didn't know about this until I read this article, but I really am having difficulty believing that Fedora has allowed this up until now.

      Comment

      • #4
        This reminds me of Windows XP admin by default accounts.

        Originally posted by signals View Post
        Wait, they're only doing this now? This has been the default at every company I've worked for since the 90's, and it's the way I run all of my home servers, too. There is very little reason for direct root logins, via ssh or otherwise.

        I'm surprised there's been push-back on this. They're not disabling root logins on SSH permanently, just removing it from the default install. Anybody who is concerned about logging into a Linux server as root via ssh should not have a problem editing sshd_config and changing the PermitRootLogin parameter.

        I'm not a Fedora person, so I didn't know about this until I read this article, but I really am having difficulty believing that Fedora has allowed this up until now.
        Using root by default was the single biggest security hole in a typical Windows XP install, to the delight of bot-herders and other attackers everywhere. The fact that XP by default made one account only with full admin priviliges (effectively a root account) meant users were running their browsers as root, and effectively nullified the switch to a permission-supporting fileystem. Now I hear Fedora servers administered remotely have the exact same situation today? The user account should be made first at setup, and the root account second, with root never appearing as the default login. To login root should require an intentional decision to do so, though of course that decision must be possible or people lose the ability to control their own systems.

        Comment

        • #5
          Very
          Originally posted by signals View Post
          Wait, they're only doing this now? This has been the default at every company I've worked for since the 90's, and it's the way I run all of my home servers, too. There is very little reason for direct root logins, via ssh or otherwise.

          I'm surprised there's been push-back on this. They're not disabling root logins on SSH permanently, just removing it from the default install. Anybody who is concerned about logging into a Linux server as root via ssh should not have a problem editing sshd_config and changing the PermitRootLogin parameter.

          I'm not a Fedora person, so I didn't know about this until I read this article, but I really am having difficulty believing that Fedora has allowed this up until now.
          If you're surprised by this consider that this is the same distro that wants to disable the firewall (and have already removed the firewall GUI) because it's too confusing for developers. Too be clear they have in mind closing off most of the ports below 1024 but leave the rest open.
          Last edited by liam; 08 January 2015, 09:18 PM.

          Comment

          • #6
            Originally posted by liam View Post
            Very

            If you're surprised by this consider that this is the same distro that wants to disable the firewall (and have already removed the firewall GUI) because it's too confusing for developers. Too be clear they have in mind closing off most of the ports below 1024 but leave the rest open.
            That's conflating unrelated issues and in any case, only applies to the Fedora Workstation product.

            In the case of ssh, major distributions have always permitted root login by default because a number of systems do need it and it is not possible to universally disable it. Ex: there are systems without ANY local users whatsoever and disabling root user would lock out the system from remote access.

            Comment

            • #7
              Originally posted by RahulSundaram View Post
              That's conflating unrelated issues and in any case, only applies to the Fedora Workstation product.

              In the case of ssh, major distributions have always permitted root login by default because a number of systems do need it and it is not possible to universally disable it. Ex: there are systems without ANY local users whatsoever and disabling root user would lock out the system from remote access.
              Debian ships with root ssh on for wheezy, but off for Jessie.

              Comment

              • #8
                So how do you install Fedora on remote, headless machines? On my gentoo installs, I'm pretty glad I have remote root login until I'm far enough with the setup that I can add user accounts, install and configure su/sudo and check whether I forgot to add the users to 'wheel' before I disable root login via ssh. I don't really want to reinstall from scratch if the connection drops before I finished all that.

                And for those people that use '12345' on their luggage, this change won't make their systems more secure, it'll break them.

                Comment

                • #9
                  Originally posted by rohcQaH View Post
                  So how do you install Fedora on remote, headless machines? On my gentoo installs, I'm pretty glad I have remote root login until I'm far enough with the setup that I can add user accounts, install and configure su/sudo and check whether I forgot to add the users to 'wheel' before I disable root login via ssh. I don't really want to reinstall from scratch if the connection drops before I finished all that.
                  This is answered in the proposal. Unless you add another user, root won't be disabled.

                  Comment

                  • #10
                    Originally posted by liam View Post
                    Very

                    If you're surprised by this consider that this is the same distro that wants to disable the firewall (and have already removed the firewall GUI) because it's too confusing for developers. Too be clear they have in mind closing off most of the ports below 1024 but leave the rest open.
                    yes, they want to disable it. on Workstation. i can't remember when i last saw WS computer hooked up directly to internet.

                    Comment

                    Previous 1 2 template Next
                    Working...
                    X