-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add root password SSH login override checkbox (#1716282) #2042
Add root password SSH login override checkbox (#1716282) #2042
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't part of the discussions but I have a bad feeling about making the change by the environment variable for systemd unit. For me personally it would be a pain to find in the installed system how to disable the root logins afterward.
@jkonecny12, you can easily disable it by removing the config file generated by anaconda. The environment variable is just used to propagate additional options to the service. |
It's not problem to disable the option but to find what is causing that I'm You would probably look into /etc/ssh/sshd_config The other problem is that you will even miss the environment variable because that will be used only for the unit and not by the system so another way how to find what is happening is hidden. EDIT: Fix the incorrect statements. |
Not able to login as a root using password is default in OpenSSH for quite some time and will be a default in Fedora 31. Manual page for sshd_config describes the semantics of
The files you mention are client configuration files and they do not have anything to do with this change.
Reiterating again, we could consider creating normal environment file (lets say In the long term, we would indeed like to use sshd_config drop-in directory, but it is not possible at this moment, because there is no Include functionality (only the client config supports that).
What do you mean here by "not used by the system"? |
@Jakuje thanks for your input. My main question was if this change was consulted by someone from SSH maintainers. As I know now it was.
My bad, I meant it the other way. When users later in the installed system wants to disable root login again. I know that the ssh root login is disabled some time, that is not a problem and if there is a release notes then I guess it should be fine for users to make it disabled again.
Oh my... of course I mean server configuration sshd_config. So there is no drop dir, I see.
For me personally, I would not expect configuration of that kind in the systemd unit. I think this should be part of the system configuration file not the unit. I think of a systemd unit that it should only start the service and set properties which are required to run the service in the given environment (distribution) but not the options how it should behave. However, maybe that is only my PoV.
This does not solve the problem I'm thinking of. It really makes it even worse because then we have another configuration file taken into account. Also, I'm not that convinced that we want to have anaconda specific configuration files in the system. The configuration should stay specific for the service. In the other hand if it will solve socket activation we may start talking about that. What do you recommend?
That would be an ideal solution. I'm looking forward into that feature :)
I meant that you won't see the environment variable when you type Sorry for the mistakes in the previous comment. :( |
Yes, I am OpenSSH maintainer in Fedora.
Yes, that is a trivial configuration change as any other configuration change that the user would do, preferably directly in
You are right. Modification of configuration files by scripts/applications is something that I am not a big fan of (even though some do that ... see ipa), because it causes issues on its own mostly much later during updates, because users tend to ignore
This would be instead of the service drop-in configuration and it would be really on one place. If the path is the issue, we could try something like
If we would go the systemd service drop-in file-way, we would need two to address also the socket activation, adding second file, which would mean more confusion and harder and more error-prone for user to remove later. The single environment file is probably best we can do.
#metoo since 2015
No problem. So to summarize, I think we should modify the PR to create a file Then, OpenSSH service files will be modified to contain the following new line
which will load the file, if it is in place and apply the configuration on commandline. Does it make sense? |
Sounds good to me and thanks for all the explanation. And I agree that users are ignoring the The next steps will be:
|
I will change the systemd unit later today. |
@jkonecny12 fixed in https://src.fedoraproject.org/rpms/openssh/c/358f62be and rawhide build is on the way. |
Hi. I was also on vacation last week so no problem for me so far. But since we are getting closer to the change completion deadline, I would like to see a progress next week. |
175e45d
to
a2c2b0b
Compare
Open SSH, which provides the SSH server Fedora uses already for some time disallowed password based root logins. Fedora used to patch this out so far, but this patch has been recently dropped, restoring the upstream behavior. This change does not affect key based SSH logins and it will continue to be possible to login as root with key based authentication. To make the transition easier for user who might have valid use cases for logging in as root with password over SSH we will add a checkbox to the root password spoke. This checkbox makes it possible to manually enable password based SSH logins for the root account. Resolves: rhbz#1716282
a2c2b0b
to
1302809
Compare
Updated. |
Thank you. Looks good to me as I went through the relevant changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Open SSH, which provides the SSH server Fedora uses already for some
time disallowed password based root logins. Fedora used to patch this
out so far, but this patch has been recently dropped, restoring the
upstream behavior.
This change does not affect key based SSH logins and it will continue
to be possible to login as root with key based authentication.
To make the transition easier for user who might have valid use cases
for logging in as root with password over SSH we will add a checkbox
to the root password spoke. This checkbox makes it possible to manually
enable password based SSH logins for the root account.
Resolves: rhbz#1716282