From d13558019e13ef990840f39c5d756cdf7c1be6449ae9debb8fa6197898c4df58 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Sat, 17 Apr 2021 14:22:02 +0000
Subject: [PATCH] Accepting request 873406 from home:jsegitz:branches:network

- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
  as root via password by default (is also upstream default). Comment
  indicates that this was a temporary meassure that we now had for
  five years, time to get rid of it (bsc#1173067)

OBS-URL: https://build.opensuse.org/request/show/873406
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=229
---
 README.SUSE                                   |  6 --
 openssh-7.7p1-allow_root_password_login.patch | 59 -------------------
 openssh.changes                               |  8 +++
 openssh.spec                                  |  1 -
 4 files changed, 8 insertions(+), 66 deletions(-)
 delete mode 100644 openssh-7.7p1-allow_root_password_login.patch

diff --git a/README.SUSE b/README.SUSE
index cd33733..cb1f82b 100644
--- a/README.SUSE
+++ b/README.SUSE
@@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
 
 * PAM authentication is enabled and mostly even required, do not turn it off.
 
-* root authentiation with password is enabled by default (PermitRootLogin yes).
-  NOTE: this has security implications and is only done in order to not change
-  behaviour of the server in an update. We strongly suggest setting this option
-  either "prohibit-password" or even better to "no" (which disables direct
-  remote root login entirely).
-
 * DSA authentication is enabled by default for maximum compatibility.
   NOTE: do not use DSA authentication since it is being phased out for a reason
   - the size of DSA keys is limited by the standard to 1024 bits which cannot
diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch
deleted file mode 100644
index 815b8a5..0000000
--- a/openssh-7.7p1-allow_root_password_login.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-# HG changeset patch
-# Parent  af43d436bc7fe818dd976c923ad99b89051eb299
-Allow root login with password by default. While less secure than upstream
-default of forbidding access to the root account with a password, we are
-temporarily introducing this change to keep the default used in older OpenSSH
-versions shipped with SLE.
-
-Index: openssh-8.4p1/servconf.c
-===================================================================
---- openssh-8.4p1.orig/servconf.c
-+++ openssh-8.4p1/servconf.c
-@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
- 	if (options->login_grace_time == -1)
- 		options->login_grace_time = 120;
- 	if (options->permit_root_login == PERMIT_NOT_SET)
--		options->permit_root_login = PERMIT_NO_PASSWD;
-+		options->permit_root_login = PERMIT_YES;
- 	if (options->ignore_rhosts == -1)
- 		options->ignore_rhosts = 1;
- 	if (options->ignore_user_known_hosts == -1)
-Index: openssh-8.4p1/sshd_config
-===================================================================
---- openssh-8.4p1.orig/sshd_config
-+++ openssh-8.4p1/sshd_config
-@@ -29,7 +29,7 @@
- # Authentication:
- 
- #LoginGraceTime 2m
--#PermitRootLogin prohibit-password
-+PermitRootLogin yes
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
-Index: openssh-8.4p1/sshd_config.0
-===================================================================
---- openssh-8.4p1.orig/sshd_config.0
-+++ openssh-8.4p1/sshd_config.0
-@@ -778,7 +778,7 @@ DESCRIPTION
-      PermitRootLogin
-              Specifies whether root can log in using ssh(1).  The argument
-              must be yes, prohibit-password, forced-commands-only, or no.  The
--             default is prohibit-password.
-+             default is yes.
- 
-              If this option is set to prohibit-password (or its deprecated
-              alias, without-password), password and keyboard-interactive
-Index: openssh-8.4p1/sshd_config.5
-===================================================================
---- openssh-8.4p1.orig/sshd_config.5
-+++ openssh-8.4p1/sshd_config.5
-@@ -1331,7 +1331,7 @@ The argument must be
- or
- .Cm no .
- The default is
--.Cm prohibit-password .
-+.Cm yes .
- .Pp
- If this option is set to
- .Cm prohibit-password
diff --git a/openssh.changes b/openssh.changes
index 945ac83..1a38a66 100644
--- a/openssh.changes
+++ b/openssh.changes
@@ -5,6 +5,14 @@ Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
   /usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
 - Move configuration files from /etc/ssh/ to /usr/share/ssh/
 
+-------------------------------------------------------------------
+Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
+  as root via password by default (is also upstream default). Comment
+  indicates that this was a temporary meassure that we now had for 
+  five years, time to get rid of it (bsc#1173067)
+
 -------------------------------------------------------------------
 Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
 
diff --git a/openssh.spec b/openssh.spec
index 306e5bf..0846fd6 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -58,7 +58,6 @@ Source11:       README.FIPS
 Source12:       cavs_driver-ssh.pl
 Source13:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
 Source14:       sysusers-sshd.conf
-Patch0:         openssh-7.7p1-allow_root_password_login.patch
 Patch1:         openssh-7.7p1-X11_trusted_forwarding.patch
 Patch3:         openssh-7.7p1-enable_PAM_by_default.patch
 Patch4:         openssh-7.7p1-eal3.patch