From ed403ddfcdf4ea864f93f10797621750f9cc5f941845b6dda6aa41b0b35813b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 28 Jan 2019 08:02:07 +0000 Subject: [PATCH 1/2] Accepting request 668656 from home:pmonrealgonzalez:branches:network - Move ssh-ldap* man pages into openssh-helpers [bsc#1051531] - Allow root login by default [bsc#1118114, bsc#1121196] * Added/updated previous patch openssh-7.7p1-allow_root_password_login.patch - Added SLE conditionals in the spec files: * Keep gtk2-devel in openssh-askpass-gnome in SLE * Keep krb5-mini-devel in SLE - Removed obsolete configure options: * SSH protocol 1 --with-ssh1 * Smart card --with-opensc - Cleaned spec file with spec-cleaner OBS-URL: https://build.opensuse.org/request/show/668656 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=172 --- openssh-7.7p1-allow_root_password_login.patch | 59 +++++++++++++++++++ openssh-askpass-gnome.spec | 12 ++++ openssh.changes | 22 +++++++ openssh.spec | 18 +++++- 4 files changed, 108 insertions(+), 3 deletions(-) create mode 100644 openssh-7.7p1-allow_root_password_login.patch diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch new file mode 100644 index 0000000..6622776 --- /dev/null +++ b/openssh-7.7p1-allow_root_password_login.patch @@ -0,0 +1,59 @@ +# HG changeset patch +# Parent af43d436bc7fe818dd976c923ad99b89051eb299 +Allow root login with password by default. While less secure than upstream +default of forbidding access to the root account with a password, we are +temporarily introducing this change to keep the default used in older OpenSSH +versions shipped with SLE. + +Index: openssh-7.9p1/servconf.c +=================================================================== +--- openssh-7.9p1.orig/servconf.c ++++ openssh-7.9p1/servconf.c +@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption + if (options->login_grace_time == -1) + options->login_grace_time = 120; + if (options->permit_root_login == PERMIT_NOT_SET) +- options->permit_root_login = PERMIT_NO_PASSWD; ++ options->permit_root_login = PERMIT_YES; + if (options->ignore_rhosts == -1) + options->ignore_rhosts = 1; + if (options->ignore_user_known_hosts == -1) +Index: openssh-7.9p1/sshd_config +=================================================================== +--- openssh-7.9p1.orig/sshd_config ++++ openssh-7.9p1/sshd_config +@@ -29,7 +29,7 @@ + # Authentication: + + #LoginGraceTime 2m +-#PermitRootLogin prohibit-password ++PermitRootLogin yes + #StrictModes yes + #MaxAuthTries 6 + #MaxSessions 10 +Index: openssh-7.9p1/sshd_config.0 +=================================================================== +--- openssh-7.9p1.orig/sshd_config.0 ++++ openssh-7.9p1/sshd_config.0 +@@ -749,7 +749,7 @@ DESCRIPTION + PermitRootLogin + Specifies whether root can log in using ssh(1). The argument + must be yes, prohibit-password, forced-commands-only, or no. The +- default is prohibit-password. ++ default is yes. + + If this option is set to prohibit-password (or its deprecated + alias, without-password), password and keyboard-interactive +Index: openssh-7.9p1/sshd_config.5 +=================================================================== +--- openssh-7.9p1.orig/sshd_config.5 ++++ openssh-7.9p1/sshd_config.5 +@@ -1285,7 +1285,7 @@ The argument must be + or + .Cm no . + The default is +-.Cm prohibit-password . ++.Cm yes . + .Pp + If this option is set to + .Cm prohibit-password diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 920a89e..df79e8c 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -26,7 +26,11 @@ Group: Productivity/Networking/SSH URL: http://www.openssh.com/ Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc +%if 0%{?suse_version} >= 1550 BuildRequires: gtk3-devel +%else +BuildRequires: gtk2-devel +%endif Requires: %{_name} = %{version} %description @@ -40,11 +44,19 @@ GNOME-based passphrase dialog for OpenSSH. %build cd contrib export CFLAGS="%{optflags}" +%if 0%{?suse_version} >= 1550 make %{?_smp_mflags} gnome-ssh-askpass3 +%else +make %{?_smp_mflags} gnome-ssh-askpass2 +%endif %install install -d -m 755 %{buildroot}%{_libexecdir}/ssh/ +%if 0%{?suse_version} >= 1550 install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass +%else +install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass +%endif %files %dir %{_libexecdir}/ssh diff --git a/openssh.changes b/openssh.changes index fe83ec4..8dba4a5 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Fri Jan 25 12:42:54 UTC 2019 - Pedro Monreal Gonzalez + +- Move ssh-ldap* man pages into openssh-helpers [bsc#1051531] + +------------------------------------------------------------------- +Thu Jan 24 15:51:19 UTC 2019 - Pedro Monreal Gonzalez + +- Allow root login by default [bsc#1118114, bsc#1121196] + * Added/updated previous patch openssh-7.7p1-allow_root_password_login.patch + +------------------------------------------------------------------- +Thu Jan 24 12:21:40 UTC 2019 - Pedro Monreal Gonzalez + +- Added SLE conditionals in the spec files: + * Keep gtk2-devel in openssh-askpass-gnome in SLE + * Keep krb5-mini-devel in SLE +- Removed obsolete configure options: + * SSH protocol 1 --with-ssh1 + * Smart card --with-opensc +- Cleaned spec file with spec-cleaner + ------------------------------------------------------------------- Wed Jan 16 14:11:29 UTC 2019 - Pedro Monreal Gonzalez diff --git a/openssh.spec b/openssh.spec index 9f18da8..71a8e69 100644 --- a/openssh.spec +++ b/openssh.spec @@ -17,9 +17,12 @@ %define sandbox_seccomp 0 -%ifnarch ppc +%if 0%{?suse_version} > 1220 %define sandbox_seccomp 1 %endif +%ifarch ppc +%define sandbox_seccomp 0 +%endif %if 0%{?suse_version} >= 1500 %bcond_without tirpc @@ -56,6 +59,7 @@ Source9: sshd-gen-keys-start Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl +Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch @@ -111,9 +115,8 @@ BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel -BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libsystemd) -Requires(post): %{fillup_prereq} +Requires(post): %fillup_prereq Requires(pre): pwdutils Recommends: %{name}-helpers = %{version}-%{release} Recommends: audit @@ -125,6 +128,11 @@ Conflicts: nonfreessh %if %{with tirpc} BuildRequires: libtirpc-devel %endif +%if 0%{?suse_version} >= 1550 +BuildRequires: pkgconfig(krb5) +%else +BuildRequires: krb5-mini-devel +%endif %description SSH (Secure Shell) is a program for logging into and executing commands @@ -305,6 +313,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %attr(0444,root,root) %{_mandir}/man1/* %attr(0444,root,root) %{_mandir}/man5/* %attr(0444,root,root) %{_mandir}/man8/* +%exclude %{_mandir}/man5/ssh-ldap* +%exclude %{_mandir}/man8/ssh-ldap* %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg %{_fillupdir}/sysconfig.ssh @@ -317,6 +327,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %attr(0755,root,root) %dir %{_libexecdir}/ssh %attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* +%attr(0444,root,root) %{_mandir}/man5/ssh-ldap* +%attr(0444,root,root) %{_mandir}/man8/ssh-ldap* %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %files fips From 39cce89598ca27a08217ba1d2c815f67f2f504b250707e35aad8e9e28d62bb87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 28 Jan 2019 10:41:40 +0000 Subject: [PATCH 2/2] Accepting request 669019 from home:pmonrealgonzalez:branches:network - Remove old conditionals * Mention the change in README.SUSE OBS-URL: https://build.opensuse.org/request/show/669019 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=173 --- README.SUSE | 6 ++++++ openssh.changes | 6 ++++++ openssh.spec | 5 +---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/README.SUSE b/README.SUSE index cb1f82b..cd33733 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,6 +5,12 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. +* root authentiation with password is enabled by default (PermitRootLogin yes). + NOTE: this has security implications and is only done in order to not change + behaviour of the server in an update. We strongly suggest setting this option + either "prohibit-password" or even better to "no" (which disables direct + remote root login entirely). + * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh.changes b/openssh.changes index 8dba4a5..dae0221 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jan 28 10:34:53 UTC 2019 - Pedro Monreal Gonzalez + +- Remove old conditionals + ------------------------------------------------------------------- Fri Jan 25 12:42:54 UTC 2019 - Pedro Monreal Gonzalez @@ -8,6 +13,7 @@ Thu Jan 24 15:51:19 UTC 2019 - Pedro Monreal Gonzalez diff --git a/openssh.spec b/openssh.spec index 71a8e69..d930044 100644 --- a/openssh.spec +++ b/openssh.spec @@ -17,12 +17,9 @@ %define sandbox_seccomp 0 -%if 0%{?suse_version} > 1220 +%ifnarch ppc %define sandbox_seccomp 1 %endif -%ifarch ppc -%define sandbox_seccomp 0 -%endif %if 0%{?suse_version} >= 1500 %bcond_without tirpc