Accepting request 1174781 from network

OBS-URL: https://build.opensuse.org/request/show/1174781
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=177

README.SUSE

@@ -5,6 +5,13 @@ There are following changes in default settings of ssh client and server:
 
 * PAM authentication is enabled and mostly even required, do not turn it off.
 
+* In SLE15, root authentiation with password is enabled by default
+  (PermitRootLogin yes).
+  NOTE: this has security implications and is only done in order to not change
+  behaviour of the server in an update. We strongly suggest setting this option
+  either "prohibit-password" or even better to "no" (which disables direct
+  remote root login entirely).
+
 * DSA authentication is enabled by default for maximum compatibility.
   NOTE: do not use DSA authentication since it is being phased out for a reason
   - the size of DSA keys is limited by the standard to 1024 bits which cannot

openssh-7.7p1-allow_root_password_login.patch

@@ -0,0 +1,59 @@
+# HG changeset patch
+# Parent  af43d436bc7fe818dd976c923ad99b89051eb299
+Allow root login with password by default. While less secure than upstream
+default of forbidding access to the root account with a password, we are
+temporarily introducing this change to keep the default used in older OpenSSH
+versions shipped with SLE.
+
+Index: openssh-8.4p1/servconf.c
+===================================================================
+--- openssh-8.4p1.orig/servconf.c
++++ openssh-8.4p1/servconf.c
+@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
+ 	if (options->login_grace_time == -1)
+ 		options->login_grace_time = 120;
+ 	if (options->permit_root_login == PERMIT_NOT_SET)
+-		options->permit_root_login = PERMIT_NO_PASSWD;
++		options->permit_root_login = PERMIT_YES;
+ 	if (options->ignore_rhosts == -1)
+ 		options->ignore_rhosts = 1;
+ 	if (options->ignore_user_known_hosts == -1)
+Index: openssh-8.4p1/sshd_config
+===================================================================
+--- openssh-8.4p1.orig/sshd_config
++++ openssh-8.4p1/sshd_config
+@@ -29,7 +29,7 @@
+ # Authentication:
+ 
+ #LoginGraceTime 2m
+-#PermitRootLogin prohibit-password
++PermitRootLogin yes
+ #StrictModes yes
+ #MaxAuthTries 6
+ #MaxSessions 10
+Index: openssh-8.4p1/sshd_config.0
+===================================================================
+--- openssh-8.4p1.orig/sshd_config.0
++++ openssh-8.4p1/sshd_config.0
+@@ -778,7 +778,7 @@ DESCRIPTION
+      PermitRootLogin
+              Specifies whether root can log in using ssh(1).  The argument
+              must be yes, prohibit-password, forced-commands-only, or no.  The
+-             default is prohibit-password.
++             default is yes.
+ 
+              If this option is set to prohibit-password (or its deprecated
+              alias, without-password), password and keyboard-interactive
+Index: openssh-8.4p1/sshd_config.5
+===================================================================
+--- openssh-8.4p1.orig/sshd_config.5
++++ openssh-8.4p1/sshd_config.5
+@@ -1331,7 +1331,7 @@ The argument must be
+ or
+ .Cm no .
+ The default is
+-.Cm prohibit-password .
++.Cm yes .
+ .Pp
+ If this option is set to
+ .Cm prohibit-password

openssh.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Remove the recommendation for openssh-server-config-rootlogin
+  from openssh-server. Since the default for that config option
+  was changed in SLE it's not needed anymore in SLE nor in TW
+  (boo#1224392).
+
+-------------------------------------------------------------------
+Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add a warning in %post of openssh-clients, openssh-server and 
+  openssh-server-config-disallow-rootlogin to warn the user if
+  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
+  being used (bsc#1223486).
+
+-------------------------------------------------------------------
+Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Only for SLE15, restore the patch file removed in
+  Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
+  from SP5 of having root password login allowed by default
+  (fixes bsc#1223486, related to bsc#1173067):
+  * openssh-7.7p1-allow_root_password_login.patch
+- Since the default value for this config option is now set to
+  permit root to use password logins in SLE15, the
+  openssh-server-config-rootlogin subpackage isn't useful there so 
+  we now create an openssh-server-config-disallow-rootlogin
+  subpackage that sets the configuration the other way around
+  than openssh-server-config-rootlogin.
+
 -------------------------------------------------------------------
 Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner <meissner@suse.com>
 

openssh.spec

@@ -28,8 +28,10 @@
 
 %if 0%{?suse_version} >= 1550
 %bcond_without wtmpdb
+%bcond_with allow_root_password_login_by_default
 %else
 %bcond_with wtmpdb
+%bcond_without allow_root_password_login_by_default
 %endif
 
 #Compat macro for new _fillupdir macro introduced in Nov 2017
@@ -126,6 +128,9 @@ Patch106:       openssh-7.6p1-cleanup-selinux.patch
 # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
 Patch107:       openssh-9.6p1-crypto-policies.patch
 Patch108:       openssh-9.6p1-crypto-policies-man.patch
+%if 0%{with allow_root_password_login_by_default}
+Patch1000:      openssh-7.7p1-allow_root_password_login.patch
+%endif
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff
@@ -192,9 +197,6 @@ Group:          Productivity/Networking/SSH
 Requires:       %{name}-common = %{version}-%{release}
 Requires:       crypto-policies >= 20220824
 Recommends:     audit
-%if 0%{?suse_version} == 1500
-Recommends:     openssh-server-config-rootlogin
-%endif
 Requires(pre):  findutils
 Requires(pre):  grep
 Requires(post): %fillup_prereq
@@ -214,16 +216,31 @@ also be forwarded over the secure channel.
 This package contains the Secure Shell daemon, which allows clients to
 securely connect to your server.
 
+%if 0%{with allow_root_password_login_by_default}
+%package server-config-disallow-rootlogin
+Summary:        Config to disallow password root logins to sshd
+Group:          Productivity/Networking/SSH
+Requires:       %{name}-server = %{version}-%{release}
+Conflicts:      %{name}-server-config-rootlogin
+
+%description server-config-disallow-rootlogin
+The openssh-server package by default allows password based
+root logins. This package provides a config that disallows root
+to log in using the passwor. It's useful to secure your system
+preventing password attacks on the root account over ssh.
+%else
 %package server-config-rootlogin
 Summary:        Config to permit root logins to sshd
 Group:          Productivity/Networking/SSH
 Requires:       %{name}-server = %{version}-%{release}
+Conflicts:      %{name}-server-config-disallow-rootlogin
 
 %description server-config-rootlogin
 The openssh-server package by default disallows password based
 root logins. This package provides a config that does. It's useful
 to temporarily have a password based login to be able to use
 ssh-copy-id(1).
+%endif
 
 %package clients
 Summary:        SSH (Secure Shell) client applications
@@ -369,7 +386,11 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
 
+%if 0%{with allow_root_password_login_by_default}
+echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
 echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 
 # Move /etc to /usr/etc/ssh
 %if %{defined _distconfdir}
@@ -377,8 +398,12 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
 mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
+%if 0%{with allow_root_password_login_by_default}
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %endif
+%endif
 
 install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %if %{defined _distconfdir}
@@ -438,6 +463,15 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 %{fillup_only -n ssh}
 %service_add_post sshd.service
 
+%if ! %{defined _distconfdir}
+test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+    echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
+    echo "be honored until the following line is added at the start of"
+    echo "/etc/ssh/sshd_config :"
+    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
 %preun server
 %service_del_preun sshd.service
 
@@ -451,6 +485,16 @@ else
 %service_del_postun sshd.service
 fi
 
+%if ! %{defined _distconfdir}
+%post server-config-disallow-rootlogin
+test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+    echo " /etc/ssh/sshd_config.d/ . The config file installed by"
+    echo "openssh-server-config-disallow-rootlogin won't be used until"
+    echo "the following line is added at the start of /etc/ssh/sshd_config :"
+    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
 %if %{defined _distconfdir}
 %posttrans server
 # Migration to /usr/etc.
@@ -464,6 +508,16 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
 %endif
 
+%if ! %{defined _distconfdir}
+%post clients
+test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
+    echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
+    echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
+    echo "be honored until the following line is added at the start of"
+    echo "/etc/ssh/ssh_config :"
+    echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
+%endif
+
 %if %{defined _distconfdir}
 %posttrans clients
 # Migration to /usr/etc.
@@ -532,12 +586,21 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %config %{_fwdefdir}/sshd
 %endif
 
+%if 0%{with allow_root_password_login_by_default}
+%files server-config-disallow-rootlogin
+%if %{defined _distconfdir}
+%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
+%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%endif
+%else
 %files server-config-rootlogin
 %if %{defined _distconfdir}
 %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %else
 %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %endif
+%endif
 
 %files clients
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d