- Drop patch openssh-7.7p1-allow_root_password_login.patch

* There is no reason to set less secure default value, if
    users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
  * We had a bug way in past about this but it was never reproduced
    or even confirmed in the ticket, thus rather drop the patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155

README.SUSE

@@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
 
 * PAM authentication is enabled and mostly even required, do not turn it off.
 
-* root authentiation with password is enabled by default (PermitRootLogin yes).
-  NOTE: this has security implications and is only done in order to not change
-  behaviour of the server in an update. We strongly suggest setting this option
-  either "prohibit-password" or even better to "no" (which disables direct
-  remote root login entirely).
-
 * DSA authentication is enabled by default for maximum compatibility.
   NOTE: do not use DSA authentication since it is being phased out for a reason
   - the size of DSA keys is limited by the standard to 1024 bits which cannot

openssh-7.7p1-allow_root_password_login.patch

@@ -1,95 +0,0 @@
-# HG changeset patch
-# Parent  3bf0158be93bd08d60a30a320650ea7f9844ef50
-Allow root login with password by default. While less secure than upstream
-default of forbidding access to the root account with a password, we are
-temporarily introducing this change to keep the default used in older OpenSSH
-versions shipped with SLE.
-
-diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
---- openssh-7.7p1/servconf.c
-+++ openssh-7.7p1/servconf.c
-@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
- 		options->address_family = AF_UNSPEC;
- 	if (options->listen_addrs == NULL)
- 		add_listen_addr(options, NULL, NULL, 0);
- 	if (options->pid_file == NULL)
- 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
- 	if (options->login_grace_time == -1)
- 		options->login_grace_time = 120;
- 	if (options->permit_root_login == PERMIT_NOT_SET)
--		options->permit_root_login = PERMIT_NO_PASSWD;
-+		options->permit_root_login = PERMIT_YES;
- 	if (options->ignore_rhosts == -1)
- 		options->ignore_rhosts = 1;
- 	if (options->ignore_user_known_hosts == -1)
- 		options->ignore_user_known_hosts = 0;
- 	if (options->print_motd == -1)
- 		options->print_motd = 1;
- 	if (options->print_lastlog == -1)
- 		options->print_lastlog = 1;
-diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
---- openssh-7.7p1/sshd_config
-+++ openssh-7.7p1/sshd_config
-@@ -24,17 +24,17 @@
- 
- # Logging
- #SyslogFacility AUTH
- #LogLevel INFO
- 
- # Authentication:
- 
- #LoginGraceTime 2m
--#PermitRootLogin prohibit-password
-+#PermitRootLogin yes
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
- 
- #PubkeyAuthentication yes
- 
- # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
- # but this is overridden so installations will only check .ssh/authorized_keys
-diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
---- openssh-7.7p1/sshd_config.0
-+++ openssh-7.7p1/sshd_config.0
-@@ -709,17 +709,17 @@ DESCRIPTION
-              none can be used to prohibit all forwarding requests.  The
-              wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
-              ports, respectively.  By default all port forwarding requests are
-              permitted.
- 
-      PermitRootLogin
-              Specifies whether root can log in using ssh(1).  The argument
-              must be yes, prohibit-password, forced-commands-only, or no.  The
--             default is prohibit-password.
-+             default is yes.
- 
-              If this option is set to prohibit-password (or its deprecated
-              alias, without-password), password and keyboard-interactive
-              authentication are disabled for root.
- 
-              If this option is set to forced-commands-only, root login with
-              public key authentication will be allowed, but only if the
-              command option has been specified (which may be useful for taking
-diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
---- openssh-7.7p1/sshd_config.5
-+++ openssh-7.7p1/sshd_config.5
-@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
- .Xr ssh 1 .
- The argument must be
- .Cm yes ,
- .Cm prohibit-password ,
- .Cm forced-commands-only ,
- or
- .Cm no .
- The default is
--.Cm prohibit-password .
-+.Cm yes .
- .Pp
- If this option is set to
- .Cm prohibit-password
- (or its deprecated alias,
- .Cm without-password ) ,
- password and keyboard-interactive authentication are disabled for root.
- .Pp
- If this option is set to

openssh-7.7p1-blocksigalrm.patch

@@ -1,75 +0,0 @@
-# HG changeset patch
-# Parent  2e66b48b2212113d9897a58aaada67557b7c4f35
-block SIGALRM while logging through syslog to prevent deadlocks
-(through grace_alarm_handler())
-
-bnc#57354
-
-diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
---- openssh-7.7p1/log.c
-+++ openssh-7.7p1/log.c
-@@ -46,16 +46,17 @@
- #include <syslog.h>
- #include <unistd.h>
- #include <errno.h>
- #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
- # include <vis.h>
- #endif
- 
- #include "log.h"
-+#include <signal.h>
- 
- static LogLevel log_level = SYSLOG_LEVEL_INFO;
- static int log_on_stderr = 1;
- static int log_stderr_fd = STDERR_FILENO;
- static int log_facility = LOG_AUTH;
- static char *argv0;
- static log_handler_fn *log_handler;
- static void *log_handler_ctx;
-@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt, 
- {
- #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
- 	struct syslog_data sdata = SYSLOG_DATA_INIT;
- #endif
- 	char msgbuf[MSGBUFSIZ];
- 	char fmtbuf[MSGBUFSIZ];
- 	char *txt = NULL;
- 	int pri = LOG_INFO;
-+	sigset_t nset, oset;
- 	int saved_errno = errno;
- 	log_handler_fn *tmp_handler;
- 
- 	if (level > log_level)
- 		return;
- 
- 	switch (level) {
- 	case SYSLOG_LEVEL_FATAL:
-@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt, 
- 		log_handler = NULL;
- 		tmp_handler(level, fmtbuf, log_handler_ctx);
- 		log_handler = tmp_handler;
- 	} else if (log_on_stderr) {
- 		snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
- 		    (int)sizeof msgbuf - 3, fmtbuf);
- 		(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
- 	} else {
-+		/* Prevent a race between the grace_alarm which writes a
-+		 * log message and terminates and main sshd code that leads
-+		 * to deadlock as syslog is not async safe.
-+		 */ 
-+		sigemptyset(&nset);
-+		sigaddset(&nset, SIGALRM);
-+		sigprocmask(SIG_BLOCK, &nset, &oset);
- #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
- 		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
- 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
- 		closelog_r(&sdata);
- #else
- 		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
- 		syslog(pri, "%.500s", fmtbuf);
- 		closelog();
- #endif
-+		sigprocmask(SIG_SETMASK, &oset, NULL);
- 	}
- 	errno = saved_errno;
- }

openssh.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Drop patch openssh-7.7p1-allow_root_password_login.patch
+  * There is no reason to set less secure default value, if
+    users need the behaviour they can still set it up themselves
+- Drop patch openssh-7.7p1-blocksigalrm.patch
+  * We had a bug way in past about this but it was never reproduced
+    or even confirmed in the ticket, thus rather drop the patch
+
 -------------------------------------------------------------------
 Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 

openssh.spec

@@ -55,11 +55,9 @@ Source9:        sshd-gen-keys-start
 Source10:       sshd.service
 Source11:       README.FIPS
 Source12:       cavs_driver-ssh.pl
-Patch0:         openssh-7.7p1-allow_root_password_login.patch
 Patch1:         openssh-7.7p1-X11_trusted_forwarding.patch
 Patch3:         openssh-7.7p1-enable_PAM_by_default.patch
 Patch4:         openssh-7.7p1-eal3.patch
-Patch5:         openssh-7.7p1-blocksigalrm.patch
 Patch6:         openssh-7.7p1-send_locale.patch
 Patch7:         openssh-7.7p1-hostname_changes_when_forwarding_X.patch
 Patch8:         openssh-7.7p1-remove_xauth_cookies_on_exit.patch