Stephan Kulow 2019-02-04 20:10:21 +00:00 committed by Git OBS Bridge
commit c6e12a196f
5 changed files with 116 additions and 2 deletions

View File

@ -5,6 +5,12 @@ There are following changes in default settings of ssh client and server:
* PAM authentication is enabled and mostly even required, do not turn it off. * PAM authentication is enabled and mostly even required, do not turn it off.
* root authentiation with password is enabled by default (PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* DSA authentication is enabled by default for maximum compatibility. * DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot - the size of DSA keys is limited by the standard to 1024 bits which cannot

View File

@ -0,0 +1,59 @@
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-7.9p1/sshd_config
===================================================================
--- openssh-7.9p1.orig/sshd_config
+++ openssh-7.9p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -749,7 +749,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -1285,7 +1285,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password

View File

@ -26,7 +26,11 @@ Group: Productivity/Networking/SSH
URL: http://www.openssh.com/ URL: http://www.openssh.com/
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
%if 0%{?suse_version} >= 1550
BuildRequires: gtk3-devel BuildRequires: gtk3-devel
%else
BuildRequires: gtk2-devel
%endif
Requires: %{_name} = %{version} Requires: %{_name} = %{version}
%description %description
@ -40,11 +44,19 @@ GNOME-based passphrase dialog for OpenSSH.
%build %build
cd contrib cd contrib
export CFLAGS="%{optflags}" export CFLAGS="%{optflags}"
%if 0%{?suse_version} >= 1550
make %{?_smp_mflags} gnome-ssh-askpass3 make %{?_smp_mflags} gnome-ssh-askpass3
%else
make %{?_smp_mflags} gnome-ssh-askpass2
%endif
%install %install
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/ install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
%if 0%{?suse_version} >= 1550
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
%else
install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
%endif
%files %files
%dir %{_libexecdir}/ssh %dir %{_libexecdir}/ssh

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Mon Jan 28 10:34:53 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Remove old conditionals
-------------------------------------------------------------------
Fri Jan 25 12:42:54 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Move ssh-ldap* man pages into openssh-helpers [bsc#1051531]
-------------------------------------------------------------------
Thu Jan 24 15:51:19 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Allow root login by default [bsc#1118114, bsc#1121196]
* Added/updated previous patch openssh-7.7p1-allow_root_password_login.patch
* Mention the change in README.SUSE
-------------------------------------------------------------------
Thu Jan 24 12:21:40 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Added SLE conditionals in the spec files:
* Keep gtk2-devel in openssh-askpass-gnome in SLE
* Keep krb5-mini-devel in SLE
- Removed obsolete configure options:
* SSH protocol 1 --with-ssh1
* Smart card --with-opensc
- Cleaned spec file with spec-cleaner
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 16 14:11:29 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> Wed Jan 16 14:11:29 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>

View File

@ -56,6 +56,7 @@ Source9: sshd-gen-keys-start
Source10: sshd.service Source10: sshd.service
Source11: README.FIPS Source11: README.FIPS
Source12: cavs_driver-ssh.pl Source12: cavs_driver-ssh.pl
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch Patch4: openssh-7.7p1-eal3.patch
@ -111,9 +112,8 @@ BuildRequires: openssl-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
Requires(post): %{fillup_prereq} Requires(post): %fillup_prereq
Requires(pre): pwdutils Requires(pre): pwdutils
Recommends: %{name}-helpers = %{version}-%{release} Recommends: %{name}-helpers = %{version}-%{release}
Recommends: audit Recommends: audit
@ -125,6 +125,11 @@ Conflicts: nonfreessh
%if %{with tirpc} %if %{with tirpc}
BuildRequires: libtirpc-devel BuildRequires: libtirpc-devel
%endif %endif
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
%endif
%description %description
SSH (Secure Shell) is a program for logging into and executing commands SSH (Secure Shell) is a program for logging into and executing commands
@ -305,6 +310,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%attr(0444,root,root) %{_mandir}/man1/* %attr(0444,root,root) %{_mandir}/man1/*
%attr(0444,root,root) %{_mandir}/man5/* %attr(0444,root,root) %{_mandir}/man5/*
%attr(0444,root,root) %{_mandir}/man8/* %attr(0444,root,root) %{_mandir}/man8/*
%exclude %{_mandir}/man5/ssh-ldap*
%exclude %{_mandir}/man8/ssh-ldap*
%dir %{_sysconfdir}/slp.reg.d %dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg %config %{_sysconfdir}/slp.reg.d/ssh.reg
%{_fillupdir}/sysconfig.ssh %{_fillupdir}/sysconfig.ssh
@ -317,6 +324,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh %attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* %attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%files fips %files fips