Accepting request 1174779 from home:alarrosa:branches:network:openssh-permit-root-login

- Remove the recommendation for openssh-server-config-rootlogin
  from openssh-server. Since the default for that config option
  was changed in SLE it's not needed anymore in SLE nor in TW
  (boo#1224392).

- Add a warning in %post of openssh-clients, openssh-server and 
  openssh-server-config-disallow-rootlogin to warn the user if
  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
  being used (bsc#1223486).

OBS-URL: https://build.opensuse.org/request/show/1174779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=267

openssh.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Remove the recommendation for openssh-server-config-rootlogin
+  from openssh-server. Since the default for that config option
+  was changed in SLE it's not needed anymore in SLE nor in TW
+  (boo#1224392).
+
+-------------------------------------------------------------------
+Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add a warning in %post of openssh-clients, openssh-server and 
+  openssh-server-config-disallow-rootlogin to warn the user if
+  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
+  being used (bsc#1223486).
+
 -------------------------------------------------------------------
 Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 

openssh.spec

@@ -197,9 +197,6 @@ Group:          Productivity/Networking/SSH
 Requires:       %{name}-common = %{version}-%{release}
 Requires:       crypto-policies >= 20220824
 Recommends:     audit
-%if 0%{without allow_root_password_login_by_default}
-Recommends:     openssh-server-config-rootlogin
-%endif
 Requires(pre):  findutils
 Requires(pre):  grep
 Requires(post): %fillup_prereq
@@ -466,6 +463,15 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 %{fillup_only -n ssh}
 %service_add_post sshd.service
 
+%if ! %{defined _distconfdir}
+test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+    echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
+    echo "be honored until the following line is added at the start of"
+    echo "/etc/ssh/sshd_config :"
+    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
 %preun server
 %service_del_preun sshd.service
 
@@ -479,6 +485,16 @@ else
 %service_del_postun sshd.service
 fi
 
+%if ! %{defined _distconfdir}
+%post server-config-disallow-rootlogin
+test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+    echo " /etc/ssh/sshd_config.d/ . The config file installed by"
+    echo "openssh-server-config-disallow-rootlogin won't be used until"
+    echo "the following line is added at the start of /etc/ssh/sshd_config :"
+    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
 %if %{defined _distconfdir}
 %posttrans server
 # Migration to /usr/etc.
@@ -492,6 +508,16 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
 %endif
 
+%if ! %{defined _distconfdir}
+%post clients
+test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
+    echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
+    echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
+    echo "be honored until the following line is added at the start of"
+    echo "/etc/ssh/ssh_config :"
+    echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
+%endif
+
 %if %{defined _distconfdir}
 %posttrans clients
 # Migration to /usr/etc.