Merge pull request #272 from SUSE:tbazant-dolomite-ssh-login-bsc#1217734

Added info about enabling password-based root SSH login (bsc#1217734)

Author: tbazant

tasks/alp-considerations-before-deployment.xml

@@ -20,43 +20,32 @@
     <title>Considerations before &productnameshort; deployment</title>
   </info>
   <para>
-    This section introduces tips and suggestions that need to be considered
-    before or during the deployment procedure.
+    This section introduces tips and suggestions that need to be considered before or during the
+    deployment procedure.
   </para>
   <section xml:id="alp-pre-deployment-considerations-root-ssh-login">
     <title>&rootuser; SSH login</title>
     <para>
-      By default, &rootuser; SSH login in &productnameshort; is permitted only
-      by using the SSH key. &rootuser; SSH login with password is prohibited.
-      We recommend creating an unprivileged user that you can use to access the
-      installed system and then enable &rootuser; SSH login.
-    </para>
-    <para condition="alp-deployment-agama-interactive">
-      You can create an unprivileged user account during the installation
-      process in the &alp-installer; environment.
-    </para>
-    <para condition="alp-deployment-rawdisk">
-      You can create an unprivileged user account on the first boot by using
-      the &ignition; tool.
-    </para>
-    <para condition="alp-deployment-all">
-      Depending on the installation method, you can create an unprivileged user
-      account either during the installation process in the &alp-installer;
-      environment, or on the first boot by using the &ignition;/&combustion;
-      tools.
+      By default, &rootuser; SSH login in &productnameshort; is permitted only by using the SSH
+      key. &rootuser; SSH login with password is prohibited. We recommend creating an unprivileged
+      user that you can use to access the installed system and then enable &rootuser; SSH login.
     </para>
     <tip>
       <para>
-        Creating an unprivileged user during system installation is useful for
-        logging in to the &cockpit; Web interface. Find more details in
+        <phrase condition="alp-deployment-agama-interactive">You can create an unprivileged user
+        account during the installation process in the &alp-installer; environment.</phrase>
+        <phrase condition="alp-deployment-rawdisk">You can create an unprivileged user account on
+        the first boot by using the &ignition; tool.</phrase> Creating an unprivileged user during
+        system installation is useful for logging in to the &cockpit; Web interface as well. Find
+        more details in
         <link xlink:href="https://documentation.suse.com/alp/dolomite/html/cockpit-alp-dolomite/index.html"/>.
       </para>
     </tip>
     <tip>
       <para>
-        See <xref linkend="alp-post-deploy-enable-root-ssh-login"/> for details
-        on installing <package>openssh-server-config-rootlogin</package>
-        manually after the system is deployed.
+        For more details on enabling the password-based &rootuser; SSH login after the
+        &productnameshort; deployment, refer to
+        <xref linkend="alp-post-deploy-enable-root-ssh-login"/>.
       </para>
     </tip>
   </section>

tasks/alp-post-deployment-considerations.xml

@@ -20,8 +20,8 @@
     <title>Post-deployment considerations</title>
     <abstract>
       <para>
-        This article includes important information and tasks that you need to
-        consider after you successfully deploy &productname;.
+        This article includes important information and tasks that you need to consider after you
+        successfully deploy &productname;.
       </para>
     </abstract>
   </info>
@@ -30,9 +30,8 @@
     <section xml:id="alp-post-deploy-full-disk-encryption-password">
       <title>Change encryption password</title>
       <para>
-        During the &productnameshort; deployment, you entered a password that
-        is used for disk encryption. To change the password, run the following
-        command:
+        During the &productnameshort; deployment, you entered a password that is used for disk
+        encryption. To change the password, run the following command:
       </para>
 <screen>&prompt.root;fdectl passwd</screen>
     </section>
@@ -42,8 +41,8 @@
         Without a TPM chip, you need to enter the encryption password to decrypt the disk on each
         &productnameshort; boot.
       </para>
-        <para condition="alp-deployment-agama-interactive;alp-deployment-agama-automated">On
-        systems that have a TPM 2.0 chip, &productnameshort; deployed with the &alp-installer;
+      <para condition="alp-deployment-agama-interactive;alp-deployment-agama-automated">
+        On systems that have a TPM 2.0 chip, &productnameshort; deployed with the &alp-installer;
         installer supports the automatic protection of the LUKS volume with a TPM device. The
         requirement is that the machine must use the &uefisecboot; enabled. If the &alp-installer;
         installer detects a TPM 2.0 chip and &uefisecboot;, it creates a secondary LUKS key. On the
@@ -62,17 +61,15 @@
   <section xml:id="alp-post-deploy-selinux">
     <title>&selnx;</title>
     <para>
-      Security-Enhanced Linux (&selnx;) is a security framework that increases
-      system security by defining access controls for applications, processes
-      and files on the file system.
+      Security-Enhanced Linux (&selnx;) is a security framework that increases system security by
+      defining access controls for applications, processes and files on the file system.
     </para>
     <para>
       &productnameshort; ships with &selnx; enabled and set to the restrictive
-      <emphasis>enforce</emphasis> mode for increased security. The enforce
-      mode can lead to processes or workloads not behaving correctly because
-      the default policy may be too strict. If you observe such unexpected
-      issues, set &selnx; to the <emphasis>permissive</emphasis> mode that does
-      not enforce &selnx; policies but still logs offenses against them called
+      <emphasis>enforce</emphasis> mode for increased security. The enforce mode can lead to
+      processes or workloads not behaving correctly because the default policy may be too strict.
+      If you observe such unexpected issues, set &selnx; to the <emphasis>permissive</emphasis>
+      mode that does not enforce &selnx; policies but still logs offenses against them called
       <emphasis>Access Vector Rules</emphasis> (AVCs).
     </para>
     <para>
@@ -82,27 +79,25 @@
     <tip>
       <para>
         To set &selnx; to the permissive mode permanently, edit
-        <filename>/etc/selinux/config</filename> and update it to include the
-        following line:
+        <filename>/etc/selinux/config</filename> and update it to include the following line:
       </para>
 <screen>SELINUX=permissive</screen>
     </tip>
     <important>
       <para>
-        If you entered an &selnx; permissive mode, you need to relabel your
-        system until it is back in a good state. The reason is that the
-        permissive mode allows you to reach states that are not reachable
-        otherwise. To relabel the system, run the following command and reboot
-        the system:
+        If you entered an &selnx; permissive mode, you need to relabel your system until it is back
+        in a good state. The reason is that the permissive mode allows you to reach states that are
+        not reachable otherwise. To relabel the system, run the following command and reboot the
+        system:
       </para>
 <screen>
 &prompt.root;touch /etc/selinux/.autorelabel
 &prompt.root;reboot
 </screen>
     </important>
     <para>
-      To monitor AVCs, search the Audit log and &systemd; journal for log
-      messages similar to the following one:
+      To monitor AVCs, search the Audit log and &systemd; journal for log messages similar to the
+      following one:
     </para>
 <screen>
 type=AVC msg=audit(1669971354.731:25): avc:  denied  { create } \
@@ -122,28 +117,27 @@ tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0
     </para>
 <screen>&prompt.root;ausearch -m avc,user_avc,selinux_err -i</screen>
     <para>
-      If such messages appear while using the application that did not behave
-      correctly when &selnx; was set to the enforce mode, the policies are too
-      restrictive and need updating. You can help to fine-tune &selnx; policies
-      by creating a bug report at
+      If such messages appear while using the application that did not behave correctly when
+      &selnx; was set to the enforce mode, the policies are too restrictive and need updating. You
+      can help to fine-tune &selnx; policies by creating a bug report at
       <link xlink:href="https://bugzilla.suse.com/enter_bug.cgi?classification=SUSE%20ALP%20-%20SUSE%20Adaptable%20Linux%20Platform"/>.
       Specify <literal>Basesystem</literal> as a component, include the word
-      <literal>&selnx;</literal> in the bug subject, and attach the gathered
-      unique lines that include AVCs together with reproduction steps.
+      <literal>&selnx;</literal> in the bug subject, and attach the gathered unique lines that
+      include AVCs together with reproduction steps.
     </para>
   </section>
   <section xml:id="alp-post-deploy-enable-root-ssh-login">
-    <title>Enabling &rootuser; SSH login</title>
+    <title>Enabling password-based &rootuser; SSH login</title>
     <para>
-      &rootuser; login via SSH is not permitted in &productnameshort; by
-      default for security reasons. To enable it, you have the following
+      By default, &rootuser; SSH login in &productnameshort; is permitted only by using the SSH
+      key. &rootuser; SSH login with password is prohibited. To enable it, you have the following
       options:
     </para>
     <itemizedlist>
       <listitem>
         <para>
-          install the <package>openssh-server-config-rootlogin</package>
-          package and reboot the system.
+          install the <package>openssh-server-config-rootlogin</package> package and reboot the
+          system.
         </para>
 <screen>
 &prompt.root;<command>transactional-update pkg in openssh-server-config-rootlogin</command>
@@ -152,9 +146,8 @@ tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0
       </listitem>
       <listitem>
         <para>
-          Add a file containing the snippet <literal>PermitRootLogin
-          yes</literal> in the <filename>/etc/sshd/sshd_config.d/</filename>
-          directory and reboot, for example:
+          Add a file containing the snippet <literal>PermitRootLogin yes</literal> in the
+          <filename>/etc/sshd/sshd_config.d/</filename> directory and reboot, for example:
         </para>
 <screen>
 &prompt.root;echo 'PermitRootLogin yes' &gt;&gt; /etc/sshd/sshd_config.d/root_login_config