Drop the the "Allow SSH root login with password" option from the installer GUI
Since 2019 the Anaconda installer GUI hosted an option called "Allow SSH root login with password", that made it possible to enable password based root logins over SSH on the installed system. This was always meant as a temporary option to help users transition to either using key authentication or normal users with admin privileges. And after two years of transition period it is now time to drop the option from the GUI.
- Name: Martin Kolman
- Email: firstname.lastname@example.org
- Targeted release: Fedora Linux 35
- Last updated: 2021-05-25
- FESCo issue: #2612
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
At the moment the Anaconda installer used by Fedora contains an option called "Allow SSH root login with password" on the root password configuration screen.
This is how it looks like at the moment, on latest Fedora Rawhide installer image:
For some backstory - in 2015 the OpenSSH upstream decided to disable password based root logins by default. This was done for security reasons as an attacker needs to only guess password to gain access to the root account. For a user account the attacker needs to guess both the username and password and the user account not even have admin privileges, making the remote password guessing attack both harder and less useful.
The Fedora OpenSSH package carried downstream patches to revert this upstream change up until summer 2019 when it was decided to restore the upstream behavior and drop the downstream patches as enough tools that required password based SSH login have been migrated to use either key authentication or user based login methods.
Now back to the "Allow SSH root login with password" checkbox in the installer GUI. :)
The option was added in 2019 when Fedora disabled password based root SSH login by default, as a temporary migration aid for users of the graphical installer.
Note that the checkbox is not ticked by default, the user needs to make a conscious choice to allow this security problematic SSH login behavior.
Now fast forward to today, it's 2021, any use cases that needed password based root login via SSH had 2 more years to migrate while the amount of password guessing attacks certainly didn't get any lower.
For that reason we in the Anaconda development team feel like it's a good time to finally drop the "Allow SSH root login with password" from the Anaconda GUI.
- it has been suggested to keep the "Allow SSH root login with password" available per Fedora variant (eq. for Fedora Server, etc.) - this is doable at the cost of some code complexity and we can consider doing that if there is enough demand & confirmation the given SiG is OK with it
- it has been suggested that making it easier to import SSH keys from popular code hosting platforms (Pagure, GitHub, GitLab, etc.) could provide a nice alternative to the dropped option - this seems like a nice idea, but it's unclear if any Anaconda team members will have time to work on this before F35 release; on the other hand, (good) patches welcome! :)
- it has been suggested to create a plugin interface for adding additional trust provider sources. A such plugin would provide required information to build hierarchial user interface (country/provider) of all plugins and when selected and provided with required details, plugin would obtain pblic key over network with given information (like person -serial/-number/-code) and grant root access with that key. Plugin should have http, ldap protocol APIs available.
Benefit to Fedora
This change makes the Fedora systems installed by Anaconda more secure from remote password guessing attacks targeting the root account as it would no longer be possible to configure a system that allows root to login via SSH with password.
A smaller benefit is making the root password configuration screen less confusing by removing the "Allow SSH root login with password" & Anaconda code cleanup related removing code related to setting up the override in sshd.
- Proposal owners:
Remove the "Allow SSH root login with password" and any related backend code that configures the sshd override.
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
How To Test
Boot a Fedora netinst image, enter the root password configuration screen. Check that "Allow SSH root login with password" option is not present.
The users will no longer be able to use the unsecure "Allow SSH root login with password" option on the root password configuration screen of the installer and the root password configuration screen will be a bit cleaner.
Revert the commit that removes the "Allow SSH root login with password" option and do a new Anaconda build.
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Original change that resulted in the "Allow SSH root login with password" to be added:
A workaround for kickstart users that still need to enable password based root login over SSH for some reason:
- The "Allow SSH root login with password" option has been removed from the installer GUI, making it no longer possible to configure the installed system to allow root to login with password over SSH. If you need to login remotely with super user privileges please use key based authentication or normal user with admin rights instead.