Developers Start Debating Whether To Block Password-Based Root SSH Logins For Fedora 31
While upstream SSH has disabled password logins for the root user as their default configuration the past number of years and that has carried over into being the out-of-the-box behavior for many operating systems, Fedora continues allowing password-based SSH root log-ins by default. But with the next Fedora release they are thinking about changing that default behavior.
This would allow Fedora to have better security out-of-the-box particularly on servers where OpenSSH tends to be running. The configuration can still be toggled with the "PermitRootLogin" directive of the SSHD configuration.
The plan for disabling the password-based SSH root log-ins by default for Fedora 31 was published this week on the Fedora mailing list.
This system-wide change proposal is now being debated on the Fedora devel list. So far no one is outright opposed to this default behavior change, but in doing so they would need to better educate users who up to now may be doing headless server installs and expecting password-based root SSH log-in support following the installation. This change may lead to Fedora installer improvements for ensuring a user is created at install-time that is part of the wheel group or ensuring Cockpit is installed for offering password-based web access to the server for initial configuration or adding the ability to the Fedora Anaconda installer to import a public SSH key for the root user from a URL.
This topic is still being considered and ultimately needs to be voted on by the Fedora Engineering and Steering Committee, but it's looking like for the Fedora 31 release this autumn it's quite likely to forbid the password-based SSH root log-ins by default.
This would allow Fedora to have better security out-of-the-box particularly on servers where OpenSSH tends to be running. The configuration can still be toggled with the "PermitRootLogin" directive of the SSHD configuration.
The plan for disabling the password-based SSH root log-ins by default for Fedora 31 was published this week on the Fedora mailing list.
This system-wide change proposal is now being debated on the Fedora devel list. So far no one is outright opposed to this default behavior change, but in doing so they would need to better educate users who up to now may be doing headless server installs and expecting password-based root SSH log-in support following the installation. This change may lead to Fedora installer improvements for ensuring a user is created at install-time that is part of the wheel group or ensuring Cockpit is installed for offering password-based web access to the server for initial configuration or adding the ability to the Fedora Anaconda installer to import a public SSH key for the root user from a URL.
This topic is still being considered and ultimately needs to be voted on by the Fedora Engineering and Steering Committee, but it's looking like for the Fedora 31 release this autumn it's quite likely to forbid the password-based SSH root log-ins by default.
32 Comments