Page MenuHomeVyOS Platform

Remove "service ssh allow-root"
Closed, ResolvedPublicFEATURE REQUEST


As brought up by @syncer in Slack I share the same oppinion that there is no right to exist on service ssh allow-root.

Initially VyOS comes with a default user called vyos which has SSH access. Is there anybody out there who uses root for any work on VyOS device?

Beeing root all the time is bad practice. It's like walking with an open walled throug a strip mall.

I think it's time to remove this node. Please share your thoughts.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Related Objects


Event Timeline

dmbaturin changed the task status from Open to In progress.May 16 2018, 1:09 AM
dmbaturin added a subscriber: dmbaturin.

This task is decidedly *not* complete until we have a migration script for it.

If we support SSH group management now, we can change allow-root to "access-control allow group root".

Maybe I got something wrong but my Test indicated by upgrading from VyOS 1.1.7 to 1.2.x worked. the service ssh allow-root config line just vanished and remote login worked like a charm. I always tried to be backwards compatible at least with VyOS 1.1.7.

I think it's a bad idea in case of automation scripts, which rely on general linux root shell - e.g. don't need sudo to get root access. So, anyone with this kind of integrations will need to adjust their software, if it would be not possible to make VyOS act like ordinary linux and accept (without pain) things like

ssh [email protected] arping -I eth0

although adjustment is simple and strait-forward, it will be required.

I'm pretty sure there is a commit error when you try to use that no longer existing option. It only works because we (sadly) allow partial commits and our commits at this time are not real, transactional commits.

I also agree with @mickvav: bad idea or not, it's been there for a decade, and people might have had come to rely upon it, for better or worse.

root when enabled, can use vyos configuration/op commands?

@syncer Sort of. Root doesn't get the full vyos environment so using vyos commands is inconvenient, though not impossible.

Since it was reverted, I'm closing it as invalid for easier filtering out when it's time to make a changelog.

syncer assigned this task to c-po.

Reopening this,
we not going to keep all old staff there
just like system gateway, this must be removed

to make root working you need to set a password for it so just this command does not do anything
and most of the automation systems now can elevate privileges

Okay - I just see that the allow-root feature wasn't working anyway since the SSH XML rewrite.

not sure if it ever worked (without manual manipulations with root user)