Fedora 22 Might Disable Root Remote Logins By Default

Written by Michael Larabel in Fedora on 8 January 2015 at 04:49 PM EST. 10 Comments
In the name of security, it's been proposed for Fedora 22 to disabler remote log-ins in the SSH daemon by default.

Right now Fedora allows for SSH log-ins as root, which is the default behavior as currently shipped by sshd. However, for Fedora 22 there is a proposal that the packaged sshd will default the option of PermitRootLogin to no so that root log-ins wouldn't be permitted into Fedora SSH servers. This change is being proposed to try to avoid brute-force attacks against root passwords of Fedora servers.

The developers behind this change proposal justify it as, "This provides remote attackers an option to brute force their way into a system. Empirically it is observed that many users use their systems via 'root' login, without creating non-root user and often have weak passwords for this mighty account...Disabling remote root login by setting PermitRootLogin=no would help to harden Fedora systems, moving it an inch closer towards 'secure by default' future. Users can have non-root accounts with weak passwords too, yet disabling remote root login keeps an attacker a step away from getting full control on a system. There is another option of disabling user login via password and require usage of cryptographic keys for the same. But that could a next step in future."

This increased security by default is outlined via this Fedora Wiki feature page.

This proposed Fedora 22 change has yet to be evaluated by the Fedora Engineering and Steering Committee. However, there's already Fedora users and developers opposed to this default behavior change. Via this Fedora devel thread is where criticism to the proposal is building. Stakeholders argue that the change really wouldn't yield better security, normal users can still be easily brute-forced and then from there root access achieved, and that using Fedora SSH key-pairs rather than passwords should be the pursuit. The other option would be to only allow SSH root log-ins when a SSH key is used rather than a password.

We'll see how the discussion ends and what FESCo decides in a forthcoming meeting. Per the latest meeting, the Fedora 22 change deadline is later this month with hopes of shipping Fedora 22 in mid-May.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week