This document highlights how sudo
and openssh
are configured for (open)SUSE products and points some proposed improvements.
Currently sudo
is configured to always ask for the root password, and this could have some problems:
- The behavior might be unexpected:
sudo
typically asks for the current user password.- YaST has an option to use the same password for root and for the first user. This can give the false impression of being using the user password for
sudo
. Changing the user password later could be missleading because the user would try to use the new password forsudo
.
- Security issue: in multi-user environment, each user needs to know the root password.
It was proposed to change the default sudo
config in order to use the user password. And this has some implications:
- The new users have to be added to a
wheel
group or something similar. - An existing user could not use
sudo
until the user is added to thewheel
group. - Many tools use either
pkexec
orxdg-su
to launch applications (like yast). So the root password is still needed unless that applications are adapted.
In SLE 15 family and openSUSE Leap 15 there is a patch (openssh-7.7p1-allow_root_password_login.patch) which configures openssh
to allow root ssh login. That patch was removed from Factory, which implies that root ssh login is not allowed in TW and ALP by default. Nevertheless, there is a subpackage openssh-server-config-rootlogin that has to be installed in order to recover back ssh login for root.
Right now, neigher YaST nor Agama install openssh-server-config-rootlogin:
- It is not possible to launch the AutoYaST second stage in TW.
- It is not possible to connect to a remote Agama/TW machine that only has root user.
Note: Fedora installer offers a checkbox for allowing root ssh login with password. And it also has a checkbox to lock the root account. In this case the root account should be viewed as a physical-access recovery only account.
Firewalld in ALP has ssh port always open. Is that a security issue?