Disallow remote login as root

This commit fixes a security vulnerability found by a NESSUS Scan in the sshd configuration. The ssh login as root is allowed in "/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes". It should be disallowed, and the setting of "PermitRootLogin" should be "no". The fix is to remove the section pertaining to "Allow root ssh login" in "base_bullseye.yaml", which is a leftover cleanup from the Debian integration. Test Plan: PASS: Verify the stx build installs correctly in an AIO-SX system configuration. PASS: Verify the "PermitRootLogin" is set to "no" in "/etc/ssh/sshd_config" file. PASS: Verify that remote ssh as user root is not successful. Closes-Bug: 2051473 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88
2024-01-29 15:12:10 +00:00 · 2024-01-29 15:12:10 +00:00 · 5527d0df46
parent fcf426cf15
commit 5527d0df46
1 changed files with 0 additions and 4 deletions
--- a/debian-mirror-tools/config/debian/common/base-bullseye.yaml
+++ b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
@ -58,10 +58,6 @@ rootfs-post-scripts:
 - |-
  # Set bash as default shell
  ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh
- |-
-  # Allow root ssh login
-  export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-  chroot $IMAGE_ROOTFS sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
 - |-
  # FIXME: OSTree will not set up a link to scratch automagically. Need to
  # relocate scratch to a more ostree friendly locale