diff --git a/README.SUSE b/README.SUSE index cb1f82b..1350a12 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,6 +5,13 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. +* In SLE15, root authentiation with password is enabled by default + (PermitRootLogin yes). + NOTE: this has security implications and is only done in order to not change + behaviour of the server in an update. We strongly suggest setting this option + either "prohibit-password" or even better to "no" (which disables direct + remote root login entirely). + * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch new file mode 100644 index 0000000..815b8a5 --- /dev/null +++ b/openssh-7.7p1-allow_root_password_login.patch @@ -0,0 +1,59 @@ +# HG changeset patch +# Parent af43d436bc7fe818dd976c923ad99b89051eb299 +Allow root login with password by default. While less secure than upstream +default of forbidding access to the root account with a password, we are +temporarily introducing this change to keep the default used in older OpenSSH +versions shipped with SLE. + +Index: openssh-8.4p1/servconf.c +=================================================================== +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption + if (options->login_grace_time == -1) + options->login_grace_time = 120; + if (options->permit_root_login == PERMIT_NOT_SET) +- options->permit_root_login = PERMIT_NO_PASSWD; ++ options->permit_root_login = PERMIT_YES; + if (options->ignore_rhosts == -1) + options->ignore_rhosts = 1; + if (options->ignore_user_known_hosts == -1) +Index: openssh-8.4p1/sshd_config +=================================================================== +--- openssh-8.4p1.orig/sshd_config ++++ openssh-8.4p1/sshd_config +@@ -29,7 +29,7 @@ + # Authentication: + + #LoginGraceTime 2m +-#PermitRootLogin prohibit-password ++PermitRootLogin yes + #StrictModes yes + #MaxAuthTries 6 + #MaxSessions 10 +Index: openssh-8.4p1/sshd_config.0 +=================================================================== +--- openssh-8.4p1.orig/sshd_config.0 ++++ openssh-8.4p1/sshd_config.0 +@@ -778,7 +778,7 @@ DESCRIPTION + PermitRootLogin + Specifies whether root can log in using ssh(1). The argument + must be yes, prohibit-password, forced-commands-only, or no. The +- default is prohibit-password. ++ default is yes. + + If this option is set to prohibit-password (or its deprecated + alias, without-password), password and keyboard-interactive +Index: openssh-8.4p1/sshd_config.5 +=================================================================== +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 +@@ -1331,7 +1331,7 @@ The argument must be + or + .Cm no . + The default is +-.Cm prohibit-password . ++.Cm yes . + .Pp + If this option is set to + .Cm prohibit-password diff --git a/openssh.changes b/openssh.changes index 1331030..1e5f3f8 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa + +- Remove the recommendation for openssh-server-config-rootlogin + from openssh-server. Since the default for that config option + was changed in SLE it's not needed anymore in SLE nor in TW + (boo#1224392). + +------------------------------------------------------------------- +Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa + +- Add a warning in %post of openssh-clients, openssh-server and + openssh-server-config-disallow-rootlogin to warn the user if + the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not + being used (bsc#1223486). + +------------------------------------------------------------------- +Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa + +- Only for SLE15, restore the patch file removed in + Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour + from SP5 of having root password login allowed by default + (fixes bsc#1223486, related to bsc#1173067): + * openssh-7.7p1-allow_root_password_login.patch +- Since the default value for this config option is now set to + permit root to use password logins in SLE15, the + openssh-server-config-rootlogin subpackage isn't useful there so + we now create an openssh-server-config-disallow-rootlogin + subpackage that sets the configuration the other way around + than openssh-server-config-rootlogin. + ------------------------------------------------------------------- Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner diff --git a/openssh.spec b/openssh.spec index 99c96b5..f9267bc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -28,8 +28,10 @@ %if 0%{?suse_version} >= 1550 %bcond_without wtmpdb +%bcond_with allow_root_password_login_by_default %else %bcond_with wtmpdb +%bcond_without allow_root_password_login_by_default %endif #Compat macro for new _fillupdir macro introduced in Nov 2017 @@ -126,6 +128,9 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch +%if 0%{with allow_root_password_login_by_default} +Patch1000: openssh-7.7p1-allow_root_password_login.patch +%endif BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -192,9 +197,6 @@ Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Requires: crypto-policies >= 20220824 Recommends: audit -%if 0%{?suse_version} == 1500 -Recommends: openssh-server-config-rootlogin -%endif Requires(pre): findutils Requires(pre): grep Requires(post): %fillup_prereq @@ -214,16 +216,31 @@ also be forwarded over the secure channel. This package contains the Secure Shell daemon, which allows clients to securely connect to your server. +%if 0%{with allow_root_password_login_by_default} +%package server-config-disallow-rootlogin +Summary: Config to disallow password root logins to sshd +Group: Productivity/Networking/SSH +Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-rootlogin + +%description server-config-disallow-rootlogin +The openssh-server package by default allows password based +root logins. This package provides a config that disallows root +to log in using the passwor. It's useful to secure your system +preventing password attacks on the root account over ssh. +%else %package server-config-rootlogin Summary: Config to permit root logins to sshd Group: Productivity/Networking/SSH Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-disallow-rootlogin %description server-config-rootlogin The openssh-server package by default disallows password based root logins. This package provides a config that does. It's useful to temporarily have a password based login to be able to use ssh-copy-id(1). +%endif %package clients Summary: SSH (Secure Shell) client applications @@ -369,7 +386,11 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config +%if 0%{with allow_root_password_login_by_default} +echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +%endif # Move /etc to /usr/etc/ssh %if %{defined _distconfdir} @@ -377,8 +398,12 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ +%if 0%{with allow_root_password_login_by_default} +mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif +%endif install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf %if %{defined _distconfdir} @@ -438,6 +463,15 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ %{fillup_only -n ssh} %service_add_post sshd.service +%if ! %{defined _distconfdir} +test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ + echo "WARNING: /etc/ssh/sshd_config doesn't include config files from" + echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't" + echo "be honored until the following line is added at the start of" + echo "/etc/ssh/sshd_config :" + echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||: +%endif + %preun server %service_del_preun sshd.service @@ -451,6 +485,16 @@ else %service_del_postun sshd.service fi +%if ! %{defined _distconfdir} +%post server-config-disallow-rootlogin +test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ + echo "WARNING: /etc/ssh/sshd_config doesn't include config files from" + echo " /etc/ssh/sshd_config.d/ . The config file installed by" + echo "openssh-server-config-disallow-rootlogin won't be used until" + echo "the following line is added at the start of /etc/ssh/sshd_config :" + echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||: +%endif + %if %{defined _distconfdir} %posttrans server # Migration to /usr/etc. @@ -464,6 +508,16 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||: %endif +%if ! %{defined _distconfdir} +%post clients +test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \ + echo "WARNING: /etc/ssh/ssh_config doesn't include config files from" + echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't" + echo "be honored until the following line is added at the start of" + echo "/etc/ssh/ssh_config :" + echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||: +%endif + %if %{defined _distconfdir} %posttrans clients # Migration to /usr/etc. @@ -532,12 +586,21 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss %config %{_fwdefdir}/sshd %endif +%if 0%{with allow_root_password_login_by_default} +%files server-config-disallow-rootlogin +%if %{defined _distconfdir} +%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else +%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%endif +%else %files server-config-rootlogin %if %{defined _distconfdir} %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %else %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif +%endif %files clients %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d