Page MenuHomeVyOS Platform
Create Task
Maniphest T634

Remove "service ssh allow-root"
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

As brought up by @syncer in Slack I share the same oppinion that there is no right to exist on service ssh allow-root.

Initially VyOS comes with a default user called vyos which has SSH access. Is there anybody out there who uses root for any work on VyOS device?

Beeing root all the time is bad practice. It's like walking with an open walled throug a strip mall.

I think it's time to remove this node. Please share your thoughts.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTc-poT631 Rewrite SSH configuration as XML interface definition
 ResolvedFEATURE REQUESTc-poT634 Remove "service ssh allow-root"

Event Timeline

c-po created this task.May 14 2018, 8:45 AM
c-po added a parent task: T632: Switch to multi node configuration for additional SSH options introduced in 1.2.x.
c-po added a parent task: T631: Rewrite SSH configuration as XML interface definition.
c-po removed a parent task: T632: Switch to multi node configuration for additional SSH options introduced in 1.2.x.
c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.May 15 2018, 8:00 PM
c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux board.May 15 2018, 8:29 PM
dmbaturin changed the task status from Open to In progress.May 16 2018, 1:09 AM
dmbaturin added a subscriber: dmbaturin.

This task is decidedly *not* complete until we have a migration script for it.

If we support SSH group management now, we can change allow-root to "access-control allow group root".

c-po added a comment.May 16 2018, 6:50 AM

Maybe I got something wrong but my Test indicated by upgrading from VyOS 1.1.7 to 1.2.x worked. the service ssh allow-root config line just vanished and remote login worked like a charm. I always tried to be backwards compatible at least with VyOS 1.1.7.

mickvav added a subscriber: mickvav.May 16 2018, 9:24 AM

I think it's a bad idea in case of automation scripts, which rely on general linux root shell - e.g. don't need sudo to get root access. So, anyone with this kind of integrations will need to adjust their software, if it would be not possible to make VyOS act like ordinary linux and accept (without pain) things like

ssh root@vyos arping -I eth0 12.34.56.78

although adjustment is simple and strait-forward, it will be required.

dmbaturin added a comment.May 16 2018, 11:49 AM

I'm pretty sure there is a commit error when you try to use that no longer existing option. It only works because we (sadly) allow partial commits and our commits at this time are not real, transactional commits.

I also agree with @mickvav: bad idea or not, it's been there for a decade, and people might have had come to rely upon it, for better or worse.

c-po added a comment.May 16 2018, 1:23 PM

... reverting ...

syncer added a comment.May 16 2018, 6:23 PM

root when enabled, can use vyos configuration/op commands?

dmbaturin closed this task as Invalid.May 20 2018, 7:49 AM

@syncer Sort of. Root doesn't get the full vyos environment so using vyos commands is inconvenient, though not impossible.

Since it was reverted, I'm closing it as invalid for easier filtering out when it's time to make a changelog.

syncer reopened this task as Open.Jun 10 2018, 4:00 AM
syncer assigned this task to c-po.

Reopening this,
we not going to keep all old staff there
just like system gateway, this must be removed

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.Jun 10 2018, 4:01 AM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.
syncer triaged this task as Low priority.Jun 10 2018, 4:16 AM
syncer merged a task: T243: Remove the option for root access via SSH.Jun 10 2018, 4:32 AM
syncer added a subscriber: tmartinson.

@tmartinson will continue here

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc2); removed VyOS 1.2 Crux (VyOS 1.2.0-rc1).Oct 9 2018, 6:43 AM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc2) board.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc3); removed VyOS 1.2 Crux (VyOS 1.2.0-rc2).Oct 13 2018, 9:28 AM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc3) board.
pasik added a subscriber: pasik.Oct 15 2018, 9:51 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux (VyOS 1.2.0-rc3).Oct 15 2018, 10:15 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.
c-po added a comment.Oct 20 2018, 9:18 PM

Remove or not remove?

syncer added a comment.Oct 20 2018, 9:22 PM

Remove.
to make root working you need to set a password for it so just this command does not do anything
and most of the automation systems now can elevate privileges

c-po added a comment.Oct 20 2018, 9:46 PM

Okay - I just see that the allow-root feature wasn't working anyway since the SSH XML rewrite.

syncer added a comment.Oct 20 2018, 9:47 PM

not sure if it ever worked (without manual manipulations with root user)

c-po closed this task as Resolved.Oct 22 2018, 10:30 AM
c-po edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).
c-po added a project: VyOS-1.2.0-GA.Oct 22 2018, 10:46 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.3 Equuleus.Oct 22 2018, 10:50 AM
syncer moved this task from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.