Accepting request 1174779 from home:alarrosa:branches:network:openssh-permit-root-login

- Remove the recommendation for openssh-server-config-rootlogin
  from openssh-server. Since the default for that config option
  was changed in SLE it's not needed anymore in SLE nor in TW
  (boo#1224392).

- Add a warning in %post of openssh-clients, openssh-server and 
  openssh-server-config-disallow-rootlogin to warn the user if
  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
  being used (bsc#1223486).

OBS-URL: https://build.opensuse.org/request/show/1174779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=267
This commit is contained in:
Antonio Larrosa 2024-05-17 08:01:30 +00:00 committed by Git OBS Bridge
parent f2379e82ce
commit e11bee9499
2 changed files with 45 additions and 3 deletions

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Remove the recommendation for openssh-server-config-rootlogin
from openssh-server. Since the default for that config option
was changed in SLE it's not needed anymore in SLE nor in TW
(boo#1224392).
-------------------------------------------------------------------
Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add a warning in %post of openssh-clients, openssh-server and
openssh-server-config-disallow-rootlogin to warn the user if
the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
being used (bsc#1223486).
-------------------------------------------------------------------
Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

View File

@ -197,9 +197,6 @@ Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Requires: crypto-policies >= 20220824
Recommends: audit
%if 0%{without allow_root_password_login_by_default}
Recommends: openssh-server-config-rootlogin
%endif
Requires(pre): findutils
Requires(pre): grep
Requires(post): %fillup_prereq
@ -466,6 +463,15 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
%{fillup_only -n ssh}
%service_add_post sshd.service
%if ! %{defined _distconfdir}
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
echo "be honored until the following line is added at the start of"
echo "/etc/ssh/sshd_config :"
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif
%preun server
%service_del_preun sshd.service
@ -479,6 +485,16 @@ else
%service_del_postun sshd.service
fi
%if ! %{defined _distconfdir}
%post server-config-disallow-rootlogin
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
echo " /etc/ssh/sshd_config.d/ . The config file installed by"
echo "openssh-server-config-disallow-rootlogin won't be used until"
echo "the following line is added at the start of /etc/ssh/sshd_config :"
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif
%if %{defined _distconfdir}
%posttrans server
# Migration to /usr/etc.
@ -492,6 +508,16 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
%endif
%if ! %{defined _distconfdir}
%post clients
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
echo "be honored until the following line is added at the start of"
echo "/etc/ssh/ssh_config :"
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
%endif
%if %{defined _distconfdir}
%posttrans clients
# Migration to /usr/etc.