OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=176
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
parent
5d0cbae36f
commit
b81f1e76c1
@ -5,13 +5,6 @@ There are following changes in default settings of ssh client and server:
|
||||
|
||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||
|
||||
* In SLE15, root authentiation with password is enabled by default
|
||||
(PermitRootLogin yes).
|
||||
NOTE: this has security implications and is only done in order to not change
|
||||
behaviour of the server in an update. We strongly suggest setting this option
|
||||
either "prohibit-password" or even better to "no" (which disables direct
|
||||
remote root login entirely).
|
||||
|
||||
* DSA authentication is enabled by default for maximum compatibility.
|
||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||
|
||||
@ -1,59 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
Index: openssh-8.4p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/servconf.c
|
||||
+++ openssh-8.4p1/servconf.c
|
||||
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
Index: openssh-8.4p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config
|
||||
+++ openssh-8.4p1/sshd_config
|
||||
@@ -29,7 +29,7 @@
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
Index: openssh-8.4p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.0
|
||||
+++ openssh-8.4p1/sshd_config.0
|
||||
@@ -778,7 +778,7 @@ DESCRIPTION
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||
- default is prohibit-password.
|
||||
+ default is yes.
|
||||
|
||||
If this option is set to prohibit-password (or its deprecated
|
||||
alias, without-password), password and keyboard-interactive
|
||||
Index: openssh-8.4p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.5
|
||||
+++ openssh-8.4p1/sshd_config.5
|
||||
@@ -1331,7 +1331,7 @@ The argument must be
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
@ -1,18 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Only for SLE15, restore the patch file removed in
|
||||
Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
|
||||
from SP5 of having root password login allowed by default
|
||||
(fixes bsc#1223486, related to bsc#1173067):
|
||||
* openssh-7.7p1-allow_root_password_login.patch
|
||||
- Since the default value for this config option is now set to
|
||||
permit root to use password logins in SLE15, the
|
||||
openssh-server-config-rootlogin subpackage isn't useful there so
|
||||
we now create an openssh-server-config-disallow-rootlogin
|
||||
subpackage that sets the configuration the other way around
|
||||
than openssh-server-config-rootlogin.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
|
||||
39
openssh.spec
39
openssh.spec
@ -28,10 +28,8 @@
|
||||
|
||||
%if 0%{?suse_version} >= 1550
|
||||
%bcond_without wtmpdb
|
||||
%bcond_with allow_root_password_login_by_default
|
||||
%else
|
||||
%bcond_with wtmpdb
|
||||
%bcond_without allow_root_password_login_by_default
|
||||
%endif
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
@ -128,9 +126,6 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
||||
%endif
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: automake
|
||||
BuildRequires: groff
|
||||
@ -197,7 +192,7 @@ Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Requires: crypto-policies >= 20220824
|
||||
Recommends: audit
|
||||
%if 0%{without allow_root_password_login_by_default}
|
||||
%if 0%{?suse_version} == 1500
|
||||
Recommends: openssh-server-config-rootlogin
|
||||
%endif
|
||||
Requires(pre): findutils
|
||||
@ -219,31 +214,16 @@ also be forwarded over the secure channel.
|
||||
This package contains the Secure Shell daemon, which allows clients to
|
||||
securely connect to your server.
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%package server-config-disallow-rootlogin
|
||||
Summary: Config to disallow password root logins to sshd
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
Conflicts: %{name}-server-config-rootlogin
|
||||
|
||||
%description server-config-disallow-rootlogin
|
||||
The openssh-server package by default allows password based
|
||||
root logins. This package provides a config that disallows root
|
||||
to log in using the passwor. It's useful to secure your system
|
||||
preventing password attacks on the root account over ssh.
|
||||
%else
|
||||
%package server-config-rootlogin
|
||||
Summary: Config to permit root logins to sshd
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
Conflicts: %{name}-server-config-disallow-rootlogin
|
||||
|
||||
%description server-config-rootlogin
|
||||
The openssh-server package by default disallows password based
|
||||
root logins. This package provides a config that does. It's useful
|
||||
to temporarily have a password based login to be able to use
|
||||
ssh-copy-id(1).
|
||||
%endif
|
||||
|
||||
%package clients
|
||||
Summary: SSH (Secure Shell) client applications
|
||||
@ -389,11 +369,7 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
|
||||
# Move /etc to /usr/etc/ssh
|
||||
%if %{defined _distconfdir}
|
||||
@ -401,12 +377,8 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||
%if %{defined _distconfdir}
|
||||
@ -560,21 +532,12 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
||||
%config %{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%files server-config-disallow-rootlogin
|
||||
%if %{defined _distconfdir}
|
||||
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%endif
|
||||
%else
|
||||
%files server-config-rootlogin
|
||||
%if %{defined _distconfdir}
|
||||
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%else
|
||||
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%files clients
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||
|
||||
Loading…
Reference in New Issue
Block a user