Page MenuHomePhabricator

Remove "service ssh allow-root"
Closed, ResolvedPublicFEATURE REQUEST

Description

As brought up by @syncer in Slack I share the same oppinion that there is no right to exist on service ssh allow-root.

Initially VyOS comes with a default user called vyos which has SSH access. Is there anybody out there who uses root for any work on VyOS device?

Beeing root all the time is bad practice. It's like walking with an open walled throug a strip mall.

I think it's time to remove this node. Please share your thoughts.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
c-po moved this task from Need Triage to In Progress on the VyOS 1.2.x board.May 15 2018, 8:00 PM
c-po moved this task from In Progress to Finished on the VyOS 1.2.x board.May 15 2018, 8:29 PM
dmbaturin changed the task status from Open to In progress.May 16 2018, 1:09 AM
dmbaturin added a subscriber: dmbaturin.

This task is decidedly *not* complete until we have a migration script for it.

If we support SSH group management now, we can change allow-root to "access-control allow group root".

c-po added a comment.May 16 2018, 6:50 AM

Maybe I got something wrong but my Test indicated by upgrading from VyOS 1.1.7 to 1.2.x worked. the service ssh allow-root config line just vanished and remote login worked like a charm. I always tried to be backwards compatible at least with VyOS 1.1.7.

I think it's a bad idea in case of automation scripts, which rely on general linux root shell - e.g. don't need sudo to get root access. So, anyone with this kind of integrations will need to adjust their software, if it would be not possible to make VyOS act like ordinary linux and accept (without pain) things like

ssh root@vyos arping -I eth0 12.34.56.78

although adjustment is simple and strait-forward, it will be required.

I'm pretty sure there is a commit error when you try to use that no longer existing option. It only works because we (sadly) allow partial commits and our commits at this time are not real, transactional commits.

I also agree with @mickvav: bad idea or not, it's been there for a decade, and people might have had come to rely upon it, for better or worse.

c-po added a comment.May 16 2018, 1:23 PM

... reverting ...

root when enabled, can use vyos configuration/op commands?

dmbaturin closed this task as Invalid.May 20 2018, 7:49 AM

@syncer Sort of. Root doesn't get the full vyos environment so using vyos commands is inconvenient, though not impossible.

Since it was reverted, I'm closing it as invalid for easier filtering out when it's time to make a changelog.

syncer reopened this task as Open.Jun 10 2018, 4:00 AM
syncer assigned this task to c-po.

Reopening this,
we not going to keep all old staff there
just like system gateway, this must be removed

syncer triaged this task as Low priority.Jun 10 2018, 4:16 AM
c-po added a comment.Sat, Oct 20, 9:18 PM

Remove or not remove?

Remove.
to make root working you need to set a password for it so just this command does not do anything
and most of the automation systems now can elevate privileges

c-po added a comment.Sat, Oct 20, 9:46 PM

Okay - I just see that the allow-root feature wasn't working anyway since the SSH XML rewrite.

not sure if it ever worked (without manual manipulations with root user)

c-po closed this task as Resolved.Mon, Oct 22, 10:30 AM
c-po edited projects, added VyOS 1.3.x; removed VyOS 1.2.x (VyOS 1.2.0-rc4).
syncer moved this task from Backlog to Finished on the VyOS 1.2.x (VyOS 1.2.0-rc4) board.