From e11bee94994565791229bbfec2deefbed6cf46188a564ffb682c4c0c79aa371d Mon Sep 17 00:00:00 2001 From: Antonio Larrosa Date: Fri, 17 May 2024 08:01:30 +0000 Subject: [PATCH] Accepting request 1174779 from home:alarrosa:branches:network:openssh-permit-root-login - Remove the recommendation for openssh-server-config-rootlogin from openssh-server. Since the default for that config option was changed in SLE it's not needed anymore in SLE nor in TW (boo#1224392). - Add a warning in %post of openssh-clients, openssh-server and openssh-server-config-disallow-rootlogin to warn the user if the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not being used (bsc#1223486). OBS-URL: https://build.opensuse.org/request/show/1174779 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=267 --- openssh.changes | 16 ++++++++++++++++ openssh.spec | 32 +++++++++++++++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/openssh.changes b/openssh.changes index 437daaf..1e5f3f8 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa + +- Remove the recommendation for openssh-server-config-rootlogin + from openssh-server. Since the default for that config option + was changed in SLE it's not needed anymore in SLE nor in TW + (boo#1224392). + +------------------------------------------------------------------- +Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa + +- Add a warning in %post of openssh-clients, openssh-server and + openssh-server-config-disallow-rootlogin to warn the user if + the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not + being used (bsc#1223486). + ------------------------------------------------------------------- Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index 8b744cc..f9267bc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -197,9 +197,6 @@ Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Requires: crypto-policies >= 20220824 Recommends: audit -%if 0%{without allow_root_password_login_by_default} -Recommends: openssh-server-config-rootlogin -%endif Requires(pre): findutils Requires(pre): grep Requires(post): %fillup_prereq @@ -466,6 +463,15 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ %{fillup_only -n ssh} %service_add_post sshd.service +%if ! %{defined _distconfdir} +test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ + echo "WARNING: /etc/ssh/sshd_config doesn't include config files from" + echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't" + echo "be honored until the following line is added at the start of" + echo "/etc/ssh/sshd_config :" + echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||: +%endif + %preun server %service_del_preun sshd.service @@ -479,6 +485,16 @@ else %service_del_postun sshd.service fi +%if ! %{defined _distconfdir} +%post server-config-disallow-rootlogin +test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ + echo "WARNING: /etc/ssh/sshd_config doesn't include config files from" + echo " /etc/ssh/sshd_config.d/ . The config file installed by" + echo "openssh-server-config-disallow-rootlogin won't be used until" + echo "the following line is added at the start of /etc/ssh/sshd_config :" + echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||: +%endif + %if %{defined _distconfdir} %posttrans server # Migration to /usr/etc. @@ -492,6 +508,16 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||: %endif +%if ! %{defined _distconfdir} +%post clients +test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \ + echo "WARNING: /etc/ssh/ssh_config doesn't include config files from" + echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't" + echo "be honored until the following line is added at the start of" + echo "/etc/ssh/ssh_config :" + echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||: +%endif + %if %{defined _distconfdir} %posttrans clients # Migration to /usr/etc.