diff --git a/README.SUSE b/README.SUSE index cd33733..cb1f82b 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. -* root authentiation with password is enabled by default (PermitRootLogin yes). - NOTE: this has security implications and is only done in order to not change - behaviour of the server in an update. We strongly suggest setting this option - either "prohibit-password" or even better to "no" (which disables direct - remote root login entirely). - * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch deleted file mode 100644 index 13b0ae7..0000000 --- a/openssh-7.7p1-allow_root_password_login.patch +++ /dev/null @@ -1,95 +0,0 @@ -# HG changeset patch -# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50 -Allow root login with password by default. While less secure than upstream -default of forbidding access to the root account with a password, we are -temporarily introducing this change to keep the default used in older OpenSSH -versions shipped with SLE. - -diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c ---- openssh-7.7p1/servconf.c -+++ openssh-7.7p1/servconf.c -@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption - options->address_family = AF_UNSPEC; - if (options->listen_addrs == NULL) - add_listen_addr(options, NULL, NULL, 0); - if (options->pid_file == NULL) - options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); - if (options->login_grace_time == -1) - options->login_grace_time = 120; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_NO_PASSWD; -+ options->permit_root_login = PERMIT_YES; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) - options->ignore_user_known_hosts = 0; - if (options->print_motd == -1) - options->print_motd = 1; - if (options->print_lastlog == -1) - options->print_lastlog = 1; -diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config ---- openssh-7.7p1/sshd_config -+++ openssh-7.7p1/sshd_config -@@ -24,17 +24,17 @@ - - # Logging - #SyslogFacility AUTH - #LogLevel INFO - - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin prohibit-password -+#PermitRootLogin yes - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 - - #PubkeyAuthentication yes - - # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 - # but this is overridden so installations will only check .ssh/authorized_keys -diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0 ---- openssh-7.7p1/sshd_config.0 -+++ openssh-7.7p1/sshd_config.0 -@@ -709,17 +709,17 @@ DESCRIPTION - none can be used to prohibit all forwarding requests. The - wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or - ports, respectively. By default all port forwarding requests are - permitted. - - PermitRootLogin - Specifies whether root can log in using ssh(1). The argument - must be yes, prohibit-password, forced-commands-only, or no. The -- default is prohibit-password. -+ default is yes. - - If this option is set to prohibit-password (or its deprecated - alias, without-password), password and keyboard-interactive - authentication are disabled for root. - - If this option is set to forced-commands-only, root login with - public key authentication will be allowed, but only if the - command option has been specified (which may be useful for taking -diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5 ---- openssh-7.7p1/sshd_config.5 -+++ openssh-7.7p1/sshd_config.5 -@@ -1220,17 +1220,17 @@ Specifies whether root can log in using - .Xr ssh 1 . - The argument must be - .Cm yes , - .Cm prohibit-password , - .Cm forced-commands-only , - or - .Cm no . - The default is --.Cm prohibit-password . -+.Cm yes . - .Pp - If this option is set to - .Cm prohibit-password - (or its deprecated alias, - .Cm without-password ) , - password and keyboard-interactive authentication are disabled for root. - .Pp - If this option is set to diff --git a/openssh-7.7p1-blocksigalrm.patch b/openssh-7.7p1-blocksigalrm.patch deleted file mode 100644 index a2a5716..0000000 --- a/openssh-7.7p1-blocksigalrm.patch +++ /dev/null @@ -1,75 +0,0 @@ -# HG changeset patch -# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35 -block SIGALRM while logging through syslog to prevent deadlocks -(through grace_alarm_handler()) - -bnc#57354 - -diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c ---- openssh-7.7p1/log.c -+++ openssh-7.7p1/log.c -@@ -46,16 +46,17 @@ - #include - #include - #include - #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) - # include - #endif - - #include "log.h" -+#include - - static LogLevel log_level = SYSLOG_LEVEL_INFO; - static int log_on_stderr = 1; - static int log_stderr_fd = STDERR_FILENO; - static int log_facility = LOG_AUTH; - static char *argv0; - static log_handler_fn *log_handler; - static void *log_handler_ctx; -@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt, - { - #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) - struct syslog_data sdata = SYSLOG_DATA_INIT; - #endif - char msgbuf[MSGBUFSIZ]; - char fmtbuf[MSGBUFSIZ]; - char *txt = NULL; - int pri = LOG_INFO; -+ sigset_t nset, oset; - int saved_errno = errno; - log_handler_fn *tmp_handler; - - if (level > log_level) - return; - - switch (level) { - case SYSLOG_LEVEL_FATAL: -@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt, - log_handler = NULL; - tmp_handler(level, fmtbuf, log_handler_ctx); - log_handler = tmp_handler; - } else if (log_on_stderr) { - snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n", - (int)sizeof msgbuf - 3, fmtbuf); - (void)write(log_stderr_fd, msgbuf, strlen(msgbuf)); - } else { -+ /* Prevent a race between the grace_alarm which writes a -+ * log message and terminates and main sshd code that leads -+ * to deadlock as syslog is not async safe. -+ */ -+ sigemptyset(&nset); -+ sigaddset(&nset, SIGALRM); -+ sigprocmask(SIG_BLOCK, &nset, &oset); - #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) - openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); - syslog_r(pri, &sdata, "%.500s", fmtbuf); - closelog_r(&sdata); - #else - openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); - syslog(pri, "%.500s", fmtbuf); - closelog(); - #endif -+ sigprocmask(SIG_SETMASK, &oset, NULL); - } - errno = saved_errno; - } diff --git a/openssh.changes b/openssh.changes index 3eafc4d..3052e64 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal + +- Drop patch openssh-7.7p1-allow_root_password_login.patch + * There is no reason to set less secure default value, if + users need the behaviour they can still set it up themselves +- Drop patch openssh-7.7p1-blocksigalrm.patch + * We had a bug way in past about this but it was never reproduced + or even confirmed in the ticket, thus rather drop the patch + ------------------------------------------------------------------- Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal diff --git a/openssh.spec b/openssh.spec index a531eaf..ec9bb7e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -55,11 +55,9 @@ Source9: sshd-gen-keys-start Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl -Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch -Patch5: openssh-7.7p1-blocksigalrm.patch Patch6: openssh-7.7p1-send_locale.patch Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch