diff --git a/README.SUSE b/README.SUSE index 1350a12..cb1f82b 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,13 +5,6 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. -* In SLE15, root authentiation with password is enabled by default - (PermitRootLogin yes). - NOTE: this has security implications and is only done in order to not change - behaviour of the server in an update. We strongly suggest setting this option - either "prohibit-password" or even better to "no" (which disables direct - remote root login entirely). - * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch deleted file mode 100644 index 815b8a5..0000000 --- a/openssh-7.7p1-allow_root_password_login.patch +++ /dev/null @@ -1,59 +0,0 @@ -# HG changeset patch -# Parent af43d436bc7fe818dd976c923ad99b89051eb299 -Allow root login with password by default. While less secure than upstream -default of forbidding access to the root account with a password, we are -temporarily introducing this change to keep the default used in older OpenSSH -versions shipped with SLE. - -Index: openssh-8.4p1/servconf.c -=================================================================== ---- openssh-8.4p1.orig/servconf.c -+++ openssh-8.4p1/servconf.c -@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption - if (options->login_grace_time == -1) - options->login_grace_time = 120; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_NO_PASSWD; -+ options->permit_root_login = PERMIT_YES; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) -Index: openssh-8.4p1/sshd_config -=================================================================== ---- openssh-8.4p1.orig/sshd_config -+++ openssh-8.4p1/sshd_config -@@ -29,7 +29,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin prohibit-password -+PermitRootLogin yes - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 -Index: openssh-8.4p1/sshd_config.0 -=================================================================== ---- openssh-8.4p1.orig/sshd_config.0 -+++ openssh-8.4p1/sshd_config.0 -@@ -778,7 +778,7 @@ DESCRIPTION - PermitRootLogin - Specifies whether root can log in using ssh(1). The argument - must be yes, prohibit-password, forced-commands-only, or no. The -- default is prohibit-password. -+ default is yes. - - If this option is set to prohibit-password (or its deprecated - alias, without-password), password and keyboard-interactive -Index: openssh-8.4p1/sshd_config.5 -=================================================================== ---- openssh-8.4p1.orig/sshd_config.5 -+++ openssh-8.4p1/sshd_config.5 -@@ -1331,7 +1331,7 @@ The argument must be - or - .Cm no . - The default is --.Cm prohibit-password . -+.Cm yes . - .Pp - If this option is set to - .Cm prohibit-password diff --git a/openssh.changes b/openssh.changes index 437daaf..1331030 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,18 +1,3 @@ -------------------------------------------------------------------- -Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa - -- Only for SLE15, restore the patch file removed in - Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour - from SP5 of having root password login allowed by default - (fixes bsc#1223486, related to bsc#1173067): - * openssh-7.7p1-allow_root_password_login.patch -- Since the default value for this config option is now set to - permit root to use password logins in SLE15, the - openssh-server-config-rootlogin subpackage isn't useful there so - we now create an openssh-server-config-disallow-rootlogin - subpackage that sets the configuration the other way around - than openssh-server-config-rootlogin. - ------------------------------------------------------------------- Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner diff --git a/openssh.spec b/openssh.spec index 8b744cc..99c96b5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -28,10 +28,8 @@ %if 0%{?suse_version} >= 1550 %bcond_without wtmpdb -%bcond_with allow_root_password_login_by_default %else %bcond_with wtmpdb -%bcond_without allow_root_password_login_by_default %endif #Compat macro for new _fillupdir macro introduced in Nov 2017 @@ -128,9 +126,6 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch -%if 0%{with allow_root_password_login_by_default} -Patch1000: openssh-7.7p1-allow_root_password_login.patch -%endif BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -197,7 +192,7 @@ Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Requires: crypto-policies >= 20220824 Recommends: audit -%if 0%{without allow_root_password_login_by_default} +%if 0%{?suse_version} == 1500 Recommends: openssh-server-config-rootlogin %endif Requires(pre): findutils @@ -219,31 +214,16 @@ also be forwarded over the secure channel. This package contains the Secure Shell daemon, which allows clients to securely connect to your server. -%if 0%{with allow_root_password_login_by_default} -%package server-config-disallow-rootlogin -Summary: Config to disallow password root logins to sshd -Group: Productivity/Networking/SSH -Requires: %{name}-server = %{version}-%{release} -Conflicts: %{name}-server-config-rootlogin - -%description server-config-disallow-rootlogin -The openssh-server package by default allows password based -root logins. This package provides a config that disallows root -to log in using the passwor. It's useful to secure your system -preventing password attacks on the root account over ssh. -%else %package server-config-rootlogin Summary: Config to permit root logins to sshd Group: Productivity/Networking/SSH Requires: %{name}-server = %{version}-%{release} -Conflicts: %{name}-server-config-disallow-rootlogin %description server-config-rootlogin The openssh-server package by default disallows password based root logins. This package provides a config that does. It's useful to temporarily have a password based login to be able to use ssh-copy-id(1). -%endif %package clients Summary: SSH (Secure Shell) client applications @@ -389,11 +369,7 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config -%if 0%{with allow_root_password_login_by_default} -echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf -%else echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf -%endif # Move /etc to /usr/etc/ssh %if %{defined _distconfdir} @@ -401,12 +377,8 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ -%if 0%{with allow_root_password_login_by_default} -mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf -%else mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif -%endif install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf %if %{defined _distconfdir} @@ -560,21 +532,12 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss %config %{_fwdefdir}/sshd %endif -%if 0%{with allow_root_password_login_by_default} -%files server-config-disallow-rootlogin -%if %{defined _distconfdir} -%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf -%else -%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf -%endif -%else %files server-config-rootlogin %if %{defined _distconfdir} %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %else %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif -%endif %files clients %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d