openssh/openssh-7.2p2-enable_PAM_by_default.patch

# HG changeset patch
# Parent  a51f9cba48652fc5df45b9ac8bd238268c70673c
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
# --used to be called '-pam-fix2'

diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
--- a/openssh-7.2p2/sshd_config
+++ b/openssh-7.2p2/sshd_config
@@ -64,17 +64,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
@@ -89,17 +89,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`# HG changeset patch`
Accepting request 432093 from home:pcerny:factory next round of patches - allow X forwarding over IPv4 when IPv6 sockets is not available [openssh-7.2p2-X_forward_with_disabled_ipv6.patch] - do not write PID file when not daemonizing [openssh-7.2p2-no_fork-no_pid_file.patch] - use correct options when invoking login [openssh-7.2p2-login_options.patch] - helper application for retrieving users' public keys from an LDAP server [openssh-7.2p2-ldap.patch] - allow forcing permissions over sftp [openssh-7.2p2-sftp_force_permissions.patch] - do not perform run-time checks for OpenSSL API/ABI change [openssh-7.2p2-disable-openssl-abi-check.patch] - suggest commands for cleaning known hosts file [openssh-7.2p2-host_ident.patch] - sftp home chroot patch [openssh-7.2p2-sftp_homechroot.patch] - ssh sessions auditing [openssh-7.2p2-audit.patch] - enable seccomp sandbox on additional architectures [openssh-7.2p2-additional_seccomp_archs.patch] OBS-URL: https://build.opensuse.org/request/show/432093 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112 2016-09-30 22:34:19 +02:00			`# Parent a51f9cba48652fc5df45b9ac8bd238268c70673c`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`# force PAM in defaullt install (this was removed from upstream in 3.8p1)`
			`# bnc#46749`
Accepting request 407066 from home:pcerny:factory - enable support for SSHv1 protocol and discourage its usage (bsc#983307) - enable DSA by default for backward compatibility and discourage its usage (bsc#983784) [openssh-7.2p2-allow_DSS_by_default.patch] - upgrade to 7.2p2 upstream package without any SUSE patches Distilled upstream log: - OpenSSH 6.7 Potentially-incompatible changes: * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * sshd(8): Support for tcpwrappers/libwrap has been removed. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features: * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. OBS-URL: https://build.opensuse.org/request/show/407066 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107 2016-07-07 09:07:23 +02:00			`# --used to be called '-pam-fix2'`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config`
			`--- a/openssh-7.2p2/sshd_config`
			`+++ b/openssh-7.2p2/sshd_config`
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63 2014-02-14 15:54:10 +01:00			`@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`#HostbasedAuthentication no`
			`# Change to yes if you don't trust ~/.ssh/known_hosts for`
			`# RhostsRSAAuthentication and HostbasedAuthentication`
			`#IgnoreUserKnownHosts no`
			`# Don't read the user's ~/.rhosts and ~/.shosts files`
			`#IgnoreRhosts yes`

			`# To disable tunneled clear text passwords, change to no here!`
			`-#PasswordAuthentication yes`
			`+PasswordAuthentication no`
			`#PermitEmptyPasswords no`

			`# Change to no to disable s/key passwords`
			`#ChallengeResponseAuthentication yes`

			`# Kerberos options`
			`#KerberosAuthentication no`
			`#KerberosOrLocalPasswd yes`
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63 2014-02-14 15:54:10 +01:00			`@@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys`
			`# and session processing. If this is enabled, PAM authentication will`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`# be allowed through the ChallengeResponseAuthentication and`
			`# PasswordAuthentication. Depending on your PAM configuration,`
			`# PAM authentication via ChallengeResponseAuthentication may bypass`
			`# the setting of "PermitRootLogin without-password".`
			`# If you just want the PAM account and session checks to run without`
			`# PAM authentication, then enable this but set PasswordAuthentication`
			`# and ChallengeResponseAuthentication to 'no'.`
			`-#UsePAM no`
			`+UsePAM yes`

			`#AllowAgentForwarding yes`
			`#AllowTcpForwarding yes`
			`#GatewayPorts no`
			`X11Forwarding yes`
			`#X11DisplayOffset 10`
			`#X11UseLocalhost yes`
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63 2014-02-14 15:54:10 +01:00			`#PermitTTY yes`