Ana Guerrero 2024-05-15 19:25:44 +00:00 committed by Git OBS Bridge
commit 5d0cbae36f
4 changed files with 119 additions and 1 deletions

View File

@ -5,6 +5,13 @@ There are following changes in default settings of ssh client and server:
* PAM authentication is enabled and mostly even required, do not turn it off. * PAM authentication is enabled and mostly even required, do not turn it off.
* In SLE15, root authentiation with password is enabled by default
(PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* DSA authentication is enabled by default for maximum compatibility. * DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot - the size of DSA keys is limited by the standard to 1024 bits which cannot

View File

@ -0,0 +1,59 @@
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-8.4p1/sshd_config
===================================================================
--- openssh-8.4p1.orig/sshd_config
+++ openssh-8.4p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-8.4p1/sshd_config.0
===================================================================
--- openssh-8.4p1.orig/sshd_config.0
+++ openssh-8.4p1/sshd_config.0
@@ -778,7 +778,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -1331,7 +1331,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Only for SLE15, restore the patch file removed in
Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
from SP5 of having root password login allowed by default
(fixes bsc#1223486, related to bsc#1173067):
* openssh-7.7p1-allow_root_password_login.patch
- Since the default value for this config option is now set to
permit root to use password logins in SLE15, the
openssh-server-config-rootlogin subpackage isn't useful there so
we now create an openssh-server-config-disallow-rootlogin
subpackage that sets the configuration the other way around
than openssh-server-config-rootlogin.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner <meissner@suse.com> Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner <meissner@suse.com>

View File

@ -28,8 +28,10 @@
%if 0%{?suse_version} >= 1550 %if 0%{?suse_version} >= 1550
%bcond_without wtmpdb %bcond_without wtmpdb
%bcond_with allow_root_password_login_by_default
%else %else
%bcond_with wtmpdb %bcond_with wtmpdb
%bcond_without allow_root_password_login_by_default
%endif %endif
#Compat macro for new _fillupdir macro introduced in Nov 2017 #Compat macro for new _fillupdir macro introduced in Nov 2017
@ -126,6 +128,9 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch Patch108: openssh-9.6p1-crypto-policies-man.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: automake BuildRequires: automake
BuildRequires: groff BuildRequires: groff
@ -192,7 +197,7 @@ Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release}
Requires: crypto-policies >= 20220824 Requires: crypto-policies >= 20220824
Recommends: audit Recommends: audit
%if 0%{?suse_version} == 1500 %if 0%{without allow_root_password_login_by_default}
Recommends: openssh-server-config-rootlogin Recommends: openssh-server-config-rootlogin
%endif %endif
Requires(pre): findutils Requires(pre): findutils
@ -214,16 +219,31 @@ also be forwarded over the secure channel.
This package contains the Secure Shell daemon, which allows clients to This package contains the Secure Shell daemon, which allows clients to
securely connect to your server. securely connect to your server.
%if 0%{with allow_root_password_login_by_default}
%package server-config-disallow-rootlogin
Summary: Config to disallow password root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
Conflicts: %{name}-server-config-rootlogin
%description server-config-disallow-rootlogin
The openssh-server package by default allows password based
root logins. This package provides a config that disallows root
to log in using the passwor. It's useful to secure your system
preventing password attacks on the root account over ssh.
%else
%package server-config-rootlogin %package server-config-rootlogin
Summary: Config to permit root logins to sshd Summary: Config to permit root logins to sshd
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release} Requires: %{name}-server = %{version}-%{release}
Conflicts: %{name}-server-config-disallow-rootlogin
%description server-config-rootlogin %description server-config-rootlogin
The openssh-server package by default disallows password based The openssh-server package by default disallows password based
root logins. This package provides a config that does. It's useful root logins. This package provides a config that does. It's useful
to temporarily have a password based login to be able to use to temporarily have a password based login to be able to use
ssh-copy-id(1). ssh-copy-id(1).
%endif
%package clients %package clients
Summary: SSH (Secure Shell) client applications Summary: SSH (Secure Shell) client applications
@ -369,7 +389,11 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
%if 0%{with allow_root_password_login_by_default}
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
# Move /etc to /usr/etc/ssh # Move /etc to /usr/etc/ssh
%if %{defined _distconfdir} %if %{defined _distconfdir}
@ -377,8 +401,12 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
%if 0%{with allow_root_password_login_by_default}
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif %endif
%endif
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir} %if %{defined _distconfdir}
@ -532,12 +560,21 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%config %{_fwdefdir}/sshd %config %{_fwdefdir}/sshd
%endif %endif
%if 0%{with allow_root_password_login_by_default}
%files server-config-disallow-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%endif
%else
%files server-config-rootlogin %files server-config-rootlogin
%if %{defined _distconfdir} %if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%else %else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif %endif
%endif
%files clients %files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d