Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 417871

Summary: 12.1 amd64 livedvd sshd default configuration AllowUsers line makes usage difficult
Product: Gentoo Release Media Reporter: Michael Mol <mikemol>
Component: LiveCD/DVD/USBAssignee: Team Anniversary <ten>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Mol 2012-05-27 20:28:25 UTC 
By having the "AllowUsers root" line in the sshd configuration file, you're telling sshd that *only root* is allowed to login; the AllowUsers directive instructs sshd to only allow the explicitly specified users, and to deny access to everyone else.

Because the "PermitRootLogin yes" line is commented-out, root, also, is disallowed from logging in.

This means neither the 'gentoo', 'root', nor any other users may login via ssh until the /etc/ssh/sshd_config file is modified.


If the user wishes to use ssh to continue initial configuration of a system, he has two options in editing the sshd_config file:

1) He can remove the "AllowUsers root" line, so that some other user may connect.
2) He can uncomment the "PermitRootLogin yes" line, so that root may log in. (And this is such a bad outcome, people in the Gentoo support IRC channels often refuse to assist users whose ident comes back as 'root'.


Reproducible: Always




If I'm correctly familiar with the history of this, the addition of the 'gentoo' user was as a security improvement measure. Older versions of the live dvd gave the operator a root login to KDE.

If I read the KDM login screen correctly, the 'gentoo' user only has a four-character password, which is disturbingly short. (I don't know how random it is, or whether it uses uncommon characters)

If the reason for the 'AllowUsers root' is to prevent crack attempts against the 'gentoo' user's four-character password, then removing that line creates a security vulnerability for gentoo; the "gentoo" user's password becomes vulnerable to a quick crack.

A few further changes might be:
1) Allow the user to select a username immediately after selecting a keymap.
2) Allow the user to select a password after selecting a keymap.
3) Use a longer randomized password
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2012-05-27 23:39:10 UTC 
@likewhoa,

this seems a bug to me. We should not be setting "AllowUsers root" in the DVD.
Comment 2 Michael Mol 2012-05-27 23:44:14 UTC 
I'll further note that I tested, and was *not* able to log in as root over ssh with the default configuration, even after I set a password for root.

The current configuration of sshd on the DVD does not seem to allow any authenticated connection. It may possible there's a way to do it via PAM, but I don't know how that'd work; the inaccessibility of the SSH daemon feels like an interaction between "AllowUsers root" and the implicit "PermitRootLogin no".
Comment 3 Michael Mol 2012-07-08 17:05:19 UTC 
Could this be added to a checklist somewhere, and have the status updated? I'm working on following up with and clearing out my old bug reports.
Comment 4 Fernando (likewhoa) 2013-03-08 04:14:04 UTC 
this will be fixed in 13.0 release. stay tune.