From 1f2a4cd9cc364dd62979ddaa7f9c70a3a9b7d330d2e02bbba4d94f4a6b2f252b Mon Sep 17 00:00:00 2001 From: Antonio Larrosa Date: Mon, 15 Apr 2024 06:21:11 +0000 Subject: [PATCH 1/3] Accepting request 1167038 from home:alarrosa:branches:network - Make openssh-server recommend the openssh-server-config-rootlogin package in SLE in order to keep the same behaviour of previous SPs where the PermitRootLogin default was set to yes. - Fix crypto-policies requirement to be set by openssh-server, not the config-rootlogin subpackage. - Add back %config(noreplace) tag for more config files that were already set like this in previous SPs. OBS-URL: https://build.opensuse.org/request/show/1167038 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=263 --- openssh.changes | 11 +++++++++++ openssh.spec | 11 +++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/openssh.changes b/openssh.changes index eed4894..6808adb 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Apr 12 10:04:45 UTC 2024 - Antonio Larrosa + +- Make openssh-server recommend the openssh-server-config-rootlogin + package in SLE in order to keep the same behaviour of previous + SPs where the PermitRootLogin default was set to yes. +- Fix crypto-policies requirement to be set by openssh-server, not + the config-rootlogin subpackage. +- Add back %config(noreplace) tag for more config files that were + already set like this in previous SPs. + ------------------------------------------------------------------- Thu Apr 11 06:35:21 UTC 2024 - Arnav Singh diff --git a/openssh.spec b/openssh.spec index 7e87b12..99c96b5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -190,7 +190,11 @@ clients. Summary: SSH (Secure Shell) server Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} +Requires: crypto-policies >= 20220824 Recommends: audit +%if 0%{?suse_version} == 1500 +Recommends: openssh-server-config-rootlogin +%endif Requires(pre): findutils Requires(pre): grep Requires(post): %fillup_prereq @@ -213,7 +217,6 @@ securely connect to your server. %package server-config-rootlogin Summary: Config to permit root logins to sshd Group: Productivity/Networking/SSH -Requires: crypto-policies >= 20220824 Requires: %{name}-server = %{version}-%{release} %description server-config-rootlogin @@ -485,7 +488,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss %attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d %else %attr(0755,root,root) %dir %{_sysconfdir}/ssh -%attr(0600,root,root) %{_sysconfdir}/ssh/moduli +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d %endif %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* @@ -533,7 +536,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss %if %{defined _distconfdir} %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %else -%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif %files clients @@ -542,7 +545,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss %if %{defined _distconfdir} %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config %else -%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %endif %attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/scp* From 6016b8b08a26b2479831397f52cfd5de9fc27a3009f1848e2844ae7834e627b2 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa Date: Mon, 15 Apr 2024 15:41:38 +0000 Subject: [PATCH 2/3] Accepting request 1167816 from home:msmeissn:branches:network - openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer, added missing parameter (bsc#1222840) OBS-URL: https://build.opensuse.org/request/show/1167816 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=264 --- openssh-8.0p1-gssapi-keyex.patch | 5 +++-- openssh.changes | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index e760f13..2f949b1 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -151,7 +151,7 @@ Index: openssh-9.6p1/auth2-gss.c + * The 'gssapi_keyex' userauth mechanism. + */ +static int -+userauth_gsskeyex(struct ssh *ssh) ++userauth_gsskeyex(struct ssh *ssh, const char *method) +{ + Authctxt *authctxt = ssh->authctxt; + int r, authenticated = 0; @@ -213,12 +213,13 @@ Index: openssh-9.6p1/auth2-gss.c else logit("GSSAPI MIC check failed"); -@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t ple return 0; } +Authmethod method_gsskeyex = { + "gssapi-keyex", ++ "NULL", + userauth_gsskeyex, + &options.gss_authentication +}; diff --git a/openssh.changes b/openssh.changes index 6808adb..fd9b72f 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner + +- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer, + added missing parameter (bsc#1222840) + ------------------------------------------------------------------- Fri Apr 12 10:04:45 UTC 2024 - Antonio Larrosa From 9d3cbd48d5a232af29e80b5225d236fc3ae89a22494213b8460d3799144e7fdb Mon Sep 17 00:00:00 2001 From: Antonio Larrosa Date: Mon, 15 Apr 2024 17:00:32 +0000 Subject: [PATCH 3/3] Accepting request 1167855 from home:alarrosa:branches:network Add bugzilla reference to bsc#1221005 OBS-URL: https://build.opensuse.org/request/show/1167855 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=265 --- openssh.changes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssh.changes b/openssh.changes index fd9b72f..1331030 100644 --- a/openssh.changes +++ b/openssh.changes @@ -9,7 +9,8 @@ Fri Apr 12 10:04:45 UTC 2024 - Antonio Larrosa - Make openssh-server recommend the openssh-server-config-rootlogin package in SLE in order to keep the same behaviour of previous - SPs where the PermitRootLogin default was set to yes. + SPs where the PermitRootLogin default was set to yes + (bsc#1221005). - Fix crypto-policies requirement to be set by openssh-server, not the config-rootlogin subpackage. - Add back %config(noreplace) tag for more config files that were