- Drop patch openssh-7.7p1-allow_root_password_login.patch

* There is no reason to set less secure default value, if
    users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
  * We had a bug way in past about this but it was never reproduced
    or even confirmed in the ticket, thus rather drop the patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155
This commit is contained in:
Tomáš Chvátal 2018-10-19 08:41:04 +00:00 committed by Git OBS Bridge
parent c159d0ce66
commit 704eb5c303
5 changed files with 10 additions and 178 deletions

View File

@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
* PAM authentication is enabled and mostly even required, do not turn it off.
* root authentiation with password is enabled by default (PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot

View File

@ -1,95 +0,0 @@
# HG changeset patch
# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
--- openssh-7.7p1/servconf.c
+++ openssh-7.7p1/servconf.c
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
options->address_family = AF_UNSPEC;
if (options->listen_addrs == NULL)
add_listen_addr(options, NULL, NULL, 0);
if (options->pid_file == NULL)
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
options->ignore_user_known_hosts = 0;
if (options->print_motd == -1)
options->print_motd = 1;
if (options->print_lastlog == -1)
options->print_lastlog = 1;
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
--- openssh-7.7p1/sshd_config
+++ openssh-7.7p1/sshd_config
@@ -24,17 +24,17 @@
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
--- openssh-7.7p1/sshd_config.0
+++ openssh-7.7p1/sshd_config.0
@@ -709,17 +709,17 @@ DESCRIPTION
none can be used to prohibit all forwarding requests. The
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
ports, respectively. By default all port forwarding requests are
permitted.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
authentication are disabled for root.
If this option is set to forced-commands-only, root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
--- openssh-7.7p1/sshd_config.5
+++ openssh-7.7p1/sshd_config.5
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
.Xr ssh 1 .
The argument must be
.Cm yes ,
.Cm prohibit-password ,
.Cm forced-commands-only ,
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password
(or its deprecated alias,
.Cm without-password ) ,
password and keyboard-interactive authentication are disabled for root.
.Pp
If this option is set to

View File

@ -1,75 +0,0 @@
# HG changeset patch
# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35
block SIGALRM while logging through syslog to prevent deadlocks
(through grace_alarm_handler())
bnc#57354
diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
--- openssh-7.7p1/log.c
+++ openssh-7.7p1/log.c
@@ -46,16 +46,17 @@
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
# include <vis.h>
#endif
#include "log.h"
+#include <signal.h>
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static char *argv0;
static log_handler_fn *log_handler;
static void *log_handler_ctx;
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
{
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
char msgbuf[MSGBUFSIZ];
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
+ sigset_t nset, oset;
int saved_errno = errno;
log_handler_fn *tmp_handler;
if (level > log_level)
return;
switch (level) {
case SYSLOG_LEVEL_FATAL:
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
log_handler = NULL;
tmp_handler(level, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
+ /* Prevent a race between the grace_alarm which writes a
+ * log message and terminates and main sshd code that leads
+ * to deadlock as syslog is not async safe.
+ */
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGALRM);
+ sigprocmask(SIG_BLOCK, &nset, &oset);
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif
+ sigprocmask(SIG_SETMASK, &oset, NULL);
}
errno = saved_errno;
}

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Drop patch openssh-7.7p1-allow_root_password_login.patch
* There is no reason to set less secure default value, if
users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
* We had a bug way in past about this but it was never reproduced
or even confirmed in the ticket, thus rather drop the patch
-------------------------------------------------------------------
Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -55,11 +55,9 @@ Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
Patch5: openssh-7.7p1-blocksigalrm.patch
Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch