Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-04-04 22:24:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1905 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Thu Apr 4 22:24:47 2024 rev:171 rq:1164536 version:9.6p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-02-27
22:43:13.599396142 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes
2024-04-04 22:25:29.305609598 +0200
@@ -1,0 +2,17 @@
+Tue Apr 2 11:23:05 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Use %config(noreplace) for sshd_config . In any case, it's
+ recommended to drop a file in sshd_config.d instead of editing
+ sshd_config (bsc#1221063)
+- Use %{_libexecdir} when removing ssh-keycat instead of the
+ hardcoded path so it works in TW and SLE.
+
+-------------------------------------------------------------------
+Mon Mar 4 09:57:06 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Add crypto-policies support [bsc#1211301]
+ * Add patches:
+ - openssh-9.6p1-crypto-policies.patch
+ - openssh-9.6p1-crypto-policies-man.patch
+
+-------------------------------------------------------------------
New:
----
openssh-9.6p1-crypto-policies-man.patch
openssh-9.6p1-crypto-policies.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- -
openssh-9.6p1-crypto-policies.patch
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes: -
openssh-9.6p1-crypto-policies-man.patch
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes-
New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- * Add
patches:
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes: -
openssh-9.6p1-crypto-policies.patch
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- -
openssh-9.6p1-crypto-policies-man.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.W69ZiC/_old 2024-04-04 22:25:31.141677195 +0200
+++ /var/tmp/diff_new_pack.W69ZiC/_new 2024-04-04 22:25:31.141677195 +0200
@@ -122,6 +122,9 @@
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
+# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
+Patch107: openssh-9.6p1-crypto-policies.patch
+Patch108: openssh-9.6p1-crypto-policies-man.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -209,6 +212,7 @@
%package server-config-rootlogin
Summary: Config to permit root logins to sshd
Group: Productivity/Networking/SSH
+Requires: crypto-policies >= 20220824
Requires: %{name}-server = %{version}-%{release}
%description server-config-rootlogin
@@ -220,6 +224,7 @@
%package clients
Summary: SSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
+Requires: crypto-policies >= 20220824
Requires: %{name}-common = %{version}-%{release}
Provides: openssh:%{_bindir}/ssh
@@ -371,6 +376,13 @@
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
+install -m 644 ssh_config_suse
%{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
+%if %{defined _distconfdir}
+install -m 644 sshd_config_suse_cp
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+install -m 644 sshd_config_suse_cp
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
+
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
@@ -388,7 +400,7 @@
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
-rm %{buildroot}/usr/libexec/ssh/ssh-keycat
+rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
#rm -r %{buildroot}/usr/lib/debug/.build-id
# the hmac hashes - taken from openssl
@@ -488,12 +500,17 @@
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
-%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
+%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
-%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
+%if %{defined _distconfdir}
+%attr(0600,root,root) %config(noreplace)
%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+%attr(0600,root,root) %config(noreplace)
%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
@@ -520,6 +537,7 @@
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%attr(0644,root,root) %config(noreplace)
%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
%else
++++++ openssh-9.6p1-crypto-policies-man.patch ++++++
++++ 649 lines (skipped)
++++++ openssh-9.6p1-crypto-policies.patch ++++++
Index: openssh-9.6p1/ssh_config
===================================================================
--- openssh-9.6p1.orig/ssh_config
+++ openssh-9.6p1/ssh_config
@@ -17,6 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
+# This system is following system-wide crypto policies.
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
+# file under /etc/ssh/ssh_config.d/ which will be automatically
+# included below. For more information, see the manual pages for
+# update-crypto-policies(8) and ssh_config(5).
+
# To modify the system-wide ssh configuration, create a "*.conf" file under
# "/etc/ssh/ssh_config.d/" which will be automatically included below.
# Don't edit this configuration file itself if possible to avoid update
Index: openssh-9.6p1/ssh_config_suse
===================================================================
--- /dev/null
+++ openssh-9.6p1/ssh_config_suse
@@ -0,0 +1,9 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
+ # Follow system-wide Crypto Policy, if defined:
+ Include /etc/crypto-policies/back-ends/openssh.config
+
+# Uncomment this if you want to use .local domain
+# Host *.local
+
Index: openssh-9.6p1/sshd_config
===================================================================
--- openssh-9.6p1.orig/sshd_config
+++ openssh-9.6p1/sshd_config
@@ -17,6 +17,10 @@ Include /etc/ssh/sshd_config.d/*.conf
# default value.
Include /usr/etc/ssh/sshd_config.d/*.conf
+# To modify the system-wide sshd configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
Index: openssh-9.6p1/sshd_config_suse_cp
===================================================================
--- /dev/null
+++ openssh-9.6p1/sshd_config_suse_cp
@@ -0,0 +1,7 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# this or following included files. To override some configuration option,
+# write it before this block or include it before this file.
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
+Include /etc/crypto-policies/back-ends/opensshserver.config
+
