- Drop patch openssh-7.7p1-allow_root_password_login.patch
* There is no reason to set less secure default value, if users need the behaviour they can still set it up themselves - Drop patch openssh-7.7p1-blocksigalrm.patch * We had a bug way in past about this but it was never reproduced or even confirmed in the ticket, thus rather drop the patch OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155
This commit is contained in:
parent
c159d0ce66
commit
704eb5c303
@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
|
||||
|
||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||
|
||||
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
||||
NOTE: this has security implications and is only done in order to not change
|
||||
behaviour of the server in an update. We strongly suggest setting this option
|
||||
either "prohibit-password" or even better to "no" (which disables direct
|
||||
remote root login entirely).
|
||||
|
||||
* DSA authentication is enabled by default for maximum compatibility.
|
||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||
|
@ -1,95 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
|
||||
--- openssh-7.7p1/servconf.c
|
||||
+++ openssh-7.7p1/servconf.c
|
||||
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (options->listen_addrs == NULL)
|
||||
add_listen_addr(options, NULL, NULL, 0);
|
||||
if (options->pid_file == NULL)
|
||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
options->ignore_user_known_hosts = 0;
|
||||
if (options->print_motd == -1)
|
||||
options->print_motd = 1;
|
||||
if (options->print_lastlog == -1)
|
||||
options->print_lastlog = 1;
|
||||
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
|
||||
--- openssh-7.7p1/sshd_config
|
||||
+++ openssh-7.7p1/sshd_config
|
||||
@@ -24,17 +24,17 @@
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
|
||||
--- openssh-7.7p1/sshd_config.0
|
||||
+++ openssh-7.7p1/sshd_config.0
|
||||
@@ -709,17 +709,17 @@ DESCRIPTION
|
||||
none can be used to prohibit all forwarding requests. The
|
||||
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
||||
ports, respectively. By default all port forwarding requests are
|
||||
permitted.
|
||||
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||
- default is prohibit-password.
|
||||
+ default is yes.
|
||||
|
||||
If this option is set to prohibit-password (or its deprecated
|
||||
alias, without-password), password and keyboard-interactive
|
||||
authentication are disabled for root.
|
||||
|
||||
If this option is set to forced-commands-only, root login with
|
||||
public key authentication will be allowed, but only if the
|
||||
command option has been specified (which may be useful for taking
|
||||
diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
|
||||
--- openssh-7.7p1/sshd_config.5
|
||||
+++ openssh-7.7p1/sshd_config.5
|
||||
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
|
||||
.Xr ssh 1 .
|
||||
The argument must be
|
||||
.Cm yes ,
|
||||
.Cm prohibit-password ,
|
||||
.Cm forced-commands-only ,
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
(or its deprecated alias,
|
||||
.Cm without-password ) ,
|
||||
password and keyboard-interactive authentication are disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
@ -1,75 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35
|
||||
block SIGALRM while logging through syslog to prevent deadlocks
|
||||
(through grace_alarm_handler())
|
||||
|
||||
bnc#57354
|
||||
|
||||
diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
|
||||
--- openssh-7.7p1/log.c
|
||||
+++ openssh-7.7p1/log.c
|
||||
@@ -46,16 +46,17 @@
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
||||
# include <vis.h>
|
||||
#endif
|
||||
|
||||
#include "log.h"
|
||||
+#include <signal.h>
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
static int log_stderr_fd = STDERR_FILENO;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
static log_handler_fn *log_handler;
|
||||
static void *log_handler_ctx;
|
||||
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
{
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
#endif
|
||||
char msgbuf[MSGBUFSIZ];
|
||||
char fmtbuf[MSGBUFSIZ];
|
||||
char *txt = NULL;
|
||||
int pri = LOG_INFO;
|
||||
+ sigset_t nset, oset;
|
||||
int saved_errno = errno;
|
||||
log_handler_fn *tmp_handler;
|
||||
|
||||
if (level > log_level)
|
||||
return;
|
||||
|
||||
switch (level) {
|
||||
case SYSLOG_LEVEL_FATAL:
|
||||
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
||||
log_handler = NULL;
|
||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||
log_handler = tmp_handler;
|
||||
} else if (log_on_stderr) {
|
||||
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
||||
(int)sizeof msgbuf - 3, fmtbuf);
|
||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
+ /* Prevent a race between the grace_alarm which writes a
|
||||
+ * log message and terminates and main sshd code that leads
|
||||
+ * to deadlock as syslog is not async safe.
|
||||
+ */
|
||||
+ sigemptyset(&nset);
|
||||
+ sigaddset(&nset, SIGALRM);
|
||||
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
closelog_r(&sdata);
|
||||
#else
|
||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
closelog();
|
||||
#endif
|
||||
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
}
|
||||
errno = saved_errno;
|
||||
}
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Drop patch openssh-7.7p1-allow_root_password_login.patch
|
||||
* There is no reason to set less secure default value, if
|
||||
users need the behaviour they can still set it up themselves
|
||||
- Drop patch openssh-7.7p1-blocksigalrm.patch
|
||||
* We had a bug way in past about this but it was never reproduced
|
||||
or even confirmed in the ticket, thus rather drop the patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
|
@ -55,11 +55,9 @@ Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Source11: README.FIPS
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Patch0: openssh-7.7p1-allow_root_password_login.patch
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
Patch5: openssh-7.7p1-blocksigalrm.patch
|
||||
Patch6: openssh-7.7p1-send_locale.patch
|
||||
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||
|
Loading…
Reference in New Issue
Block a user