Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-05-17 20:03:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1880 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Fri May 17 20:03:57 2024 rev:177 rq:1174781 version:9.6p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-05-17
09:34:05.056230116 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes
2024-05-17 20:04:08.961185171 +0200
@@ -1,0 +2,31 @@
+Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Remove the recommendation for openssh-server-config-rootlogin
+ from openssh-server. Since the default for that config option
+ was changed in SLE it's not needed anymore in SLE nor in TW
+ (boo#1224392).
+
+-------------------------------------------------------------------
+Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Add a warning in %post of openssh-clients, openssh-server and
+ openssh-server-config-disallow-rootlogin to warn the user if
+ the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
+ being used (bsc#1223486).
+
+-------------------------------------------------------------------
+Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Only for SLE15, restore the patch file removed in
+ Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
+ from SP5 of having root password login allowed by default
+ (fixes bsc#1223486, related to bsc#1173067):
+ * openssh-7.7p1-allow_root_password_login.patch
+- Since the default value for this config option is now set to
+ permit root to use password logins in SLE15, the
+ openssh-server-config-rootlogin subpackage isn't useful there so
+ we now create an openssh-server-config-disallow-rootlogin
+ subpackage that sets the configuration the other way around
+ than openssh-server-config-rootlogin.
+
+-------------------------------------------------------------------
New:
----
openssh-7.7p1-allow_root_password_login.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes- (fixes
bsc#1223486, related to bsc#1173067):
/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes: *
openssh-7.7p1-allow_root_password_login.patch
/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes-- Since the
default value for this config option is now set to
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.eBFEPV/_old 2024-05-17 20:04:11.505277099 +0200
+++ /var/tmp/diff_new_pack.eBFEPV/_new 2024-05-17 20:04:11.505277099 +0200
@@ -28,8 +28,10 @@
%if 0%{?suse_version} >= 1550
%bcond_without wtmpdb
+%bcond_with allow_root_password_login_by_default
%else
%bcond_with wtmpdb
+%bcond_without allow_root_password_login_by_default
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
@@ -126,6 +128,9 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
+%if 0%{with allow_root_password_login_by_default}
+Patch1000: openssh-7.7p1-allow_root_password_login.patch
+%endif
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -192,9 +197,6 @@
Requires: %{name}-common = %{version}-%{release}
Requires: crypto-policies >= 20220824
Recommends: audit
-%if 0%{?suse_version} == 1500
-Recommends: openssh-server-config-rootlogin
-%endif
Requires(pre): findutils
Requires(pre): grep
Requires(post): %fillup_prereq
@@ -214,16 +216,31 @@
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
+%if 0%{with allow_root_password_login_by_default}
+%package server-config-disallow-rootlogin
+Summary: Config to disallow password root logins to sshd
+Group: Productivity/Networking/SSH
+Requires: %{name}-server = %{version}-%{release}
+Conflicts: %{name}-server-config-rootlogin
+
+%description server-config-disallow-rootlogin
+The openssh-server package by default allows password based
+root logins. This package provides a config that disallows root
+to log in using the passwor. It's useful to secure your system
+preventing password attacks on the root account over ssh.
+%else
%package server-config-rootlogin
Summary: Config to permit root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
+Conflicts: %{name}-server-config-disallow-rootlogin
%description server-config-rootlogin
The openssh-server package by default disallows password based
root logins. This package provides a config that does. It's useful
to temporarily have a password based login to be able to use
ssh-copy-id(1).
+%endif
%package clients
Summary: SSH (Secure Shell) client applications
@@ -369,7 +386,11 @@
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g
%{buildroot}%{_sysconfdir}/ssh/sshd_config
+%if 0%{with allow_root_password_login_by_default}
+echo "PermitRootLogin prohibit-password" >
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
echo "PermitRootLogin yes" >
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
# Move /etc to /usr/etc/ssh
%if %{defined _distconfdir}
@@ -377,8 +398,12 @@
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
+%if 0%{with allow_root_password_login_by_default}
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
+%endif
install -m 644 ssh_config_suse
%{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
@@ -438,6 +463,15 @@
%{fillup_only -n ssh}
%service_add_post sshd.service
+%if ! %{defined _distconfdir}
+test -f /etc/ssh/sshd_config && (grep -q "^Include
/etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+ echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+ echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
+ echo "be honored until the following line is added at the start of"
+ echo "/etc/ssh/sshd_config :"
+ echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
%preun server
%service_del_preun sshd.service
@@ -451,6 +485,16 @@
%service_del_postun sshd.service
fi
+%if ! %{defined _distconfdir}
+%post server-config-disallow-rootlogin
+test -f /etc/ssh/sshd_config && (grep -q "^Include
/etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+ echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+ echo " /etc/ssh/sshd_config.d/ . The config file installed by"
+ echo "openssh-server-config-disallow-rootlogin won't be used until"
+ echo "the following line is added at the start of /etc/ssh/sshd_config :"
+ echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
%if %{defined _distconfdir}
%posttrans server
# Migration to /usr/etc.
@@ -464,6 +508,16 @@
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave
/etc/ssh/ssh_config.rpmsave.old ||:
%endif
+%if ! %{defined _distconfdir}
+%post clients
+test -f /etc/ssh/ssh_config && (grep -q "^Include
/etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
+ echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
+ echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
+ echo "be honored until the following line is added at the start of"
+ echo "/etc/ssh/ssh_config :"
+ echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
+%endif
+
%if %{defined _distconfdir}
%posttrans clients
# Migration to /usr/etc.
@@ -532,12 +586,21 @@
%config %{_fwdefdir}/sshd
%endif
+%if 0%{with allow_root_password_login_by_default}
+%files server-config-disallow-rootlogin
+%if %{defined _distconfdir}
+%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
+%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%endif
+%else
%files server-config-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
+%endif
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.eBFEPV/_old 2024-05-17 20:04:11.569279412 +0200
+++ /var/tmp/diff_new_pack.eBFEPV/_new 2024-05-17 20:04:11.573279556 +0200
@@ -5,6 +5,13 @@
* PAM authentication is enabled and mostly even required, do not turn it off.
+* In SLE15, root authentiation with password is enabled by default
+ (PermitRootLogin yes).
+ NOTE: this has security implications and is only done in order to not change
+ behaviour of the server in an update. We strongly suggest setting this option
+ either "prohibit-password" or even better to "no" (which disables direct
+ remote root login entirely).
+
* DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot
++++++ openssh-7.7p1-allow_root_password_login.patch ++++++
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-8.4p1/sshd_config
===================================================================
--- openssh-8.4p1.orig/sshd_config
+++ openssh-8.4p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-8.4p1/sshd_config.0
===================================================================
--- openssh-8.4p1.orig/sshd_config.0
+++ openssh-8.4p1/sshd_config.0
@@ -778,7 +778,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -1331,7 +1331,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password
