From 5527d0df46d733b24ad70081429aefc56497dbbf Mon Sep 17 00:00:00 2001 From: Carmen Rata Date: Mon, 29 Jan 2024 15:12:10 +0000 Subject: [PATCH] Disallow remote login as root This commit fixes a security vulnerability found by a NESSUS Scan in the sshd configuration. The ssh login as root is allowed in "/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes". It should be disallowed, and the setting of "PermitRootLogin" should be "no". The fix is to remove the section pertaining to "Allow root ssh login" in "base_bullseye.yaml", which is a leftover cleanup from the Debian integration. Test Plan: PASS: Verify the stx build installs correctly in an AIO-SX system configuration. PASS: Verify the "PermitRootLogin" is set to "no" in "/etc/ssh/sshd_config" file. PASS: Verify that remote ssh as user root is not successful. Closes-Bug: 2051473 Signed-off-by: Carmen Rata Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88 --- debian-mirror-tools/config/debian/common/base-bullseye.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/debian-mirror-tools/config/debian/common/base-bullseye.yaml b/debian-mirror-tools/config/debian/common/base-bullseye.yaml index c05b8fed..bb5e18d2 100644 --- a/debian-mirror-tools/config/debian/common/base-bullseye.yaml +++ b/debian-mirror-tools/config/debian/common/base-bullseye.yaml @@ -58,10 +58,6 @@ rootfs-post-scripts: - |- # Set bash as default shell ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh -- |- - # Allow root ssh login - export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin - chroot $IMAGE_ROOTFS sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config - |- # FIXME: OSTree will not set up a link to scratch automagically. Need to # relocate scratch to a more ostree friendly locale