[openSUSE] ssh users

[flukejones]

Unsure of this issue.

On Tumbleweed, I think root access over ssh is blocked. So when Rocklobster appends the AllowUsers root to the sshd config, that ends up preventing all login over ssh;

• root is blocked,
• AllowUsers root then blocks all other users.

It might be best to keep the blocked root behaviour, and allow only first created rockstor user over ssh. Most security guides I've every read also suggest a similar behaviour.

[phillxnet]

@Luke-Nukem Thanks for creating this issue.

"On Tumbleweed, I think root access over ssh is blocked." Yes it appears so, I ran into this myself.

Agreed we should preserve the no root login default, as you say it's the trend security wise these days and will only come back to bite us if we allow it. I initially un-remarked the following in order to allow initial source upload via root for development only:

PermitRootLogin yes

found in both Leap15.0 and Tumbleweed.

As per allowed users we also have to consider our sftp access as we use the ssh-server for this access type. See: http://rockstor.com/docs/sftp/sftp.html

[FroggyFlox]

@flukejones, @phillxnet ,

While working on #2168, I noticed that the default sshd_config post install (in both Leap 15.2 JeOS and Tumbleweed) has:

PermitRootLogin yes

As a result, I believe this issue should no longer cause the problem of blocking all users from ssh access.

I wonder, however, if we shouldn't build upon this and surface this as a customization of the SSH service in the webUI. While keeping PermitRootLogin yes and AllowUsers root as default, we could offer a service customization for users to disable alter this from the webUI as SSH service config.

It could be worth consider if there's interest by users in such a feature.

Cheers,