Commit Graph

11 Commits

Author SHA256 Message Date
f2379e82ce Accepting request 1173783 from home:alarrosa:branches:network:openssh-permit-root-login
- Only for SLE15, restore the patch file removed in
  Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
  from SP5 of having root password login allowed by default
  (fixes bsc#1223486, related to bsc#1173067):
  * openssh-7.7p1-allow_root_password_login.patch
- Since the default value for this config option is now set to
  permit root to use password logins in SLE15, the
  openssh-server-config-rootlogin subpackage isn't useful there so 
  we now create an openssh-server-config-disallow-rootlogin
  subpackage that sets the configuration the other way around
  than openssh-server-config-rootlogin.

OBS-URL: https://build.opensuse.org/request/show/1173783
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=266
2024-05-14 06:52:13 +00:00
d13558019e Accepting request 873406 from home:jsegitz:branches:network
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
  as root via password by default (is also upstream default). Comment
  indicates that this was a temporary meassure that we now had for 
  five years, time to get rid of it (bsc#1173067)

OBS-URL: https://build.opensuse.org/request/show/873406
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=229
2021-04-17 14:22:02 +00:00
Tomáš Chvátal
39cce89598 Accepting request 669019 from home:pmonrealgonzalez:branches:network
- Remove old conditionals

  * Mention the change in README.SUSE

OBS-URL: https://build.opensuse.org/request/show/669019
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=173
2019-01-28 10:41:40 +00:00
Tomáš Chvátal
704eb5c303 - Drop patch openssh-7.7p1-allow_root_password_login.patch
* There is no reason to set less secure default value, if
    users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
  * We had a bug way in past about this but it was never reproduced
    or even confirmed in the ticket, thus rather drop the patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155
2018-10-19 08:41:04 +00:00
Tomáš Chvátal
c159d0ce66 - Disable ssh1 protocol support as neither RH or Debian enable
this protocol by default anymore either.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=154
2018-10-17 09:24:31 +00:00
Tomáš Chvátal
7bccbbd821 Accepting request 642573 from home:scarabeus_iv:branches:network
- Update to 7.8p1:
  * no actual changes for the askpass
- Format with spec-cleaner
- Respect cflags
- Use gtk3 rather than gtk2 which is being phased out

- Remove the mention of the SLE12 in the README.SUSE
- Install firewall rules only when really needed (<SLE15)

- Version update to 7.8p1:
  * For most details see release notes file
  * ssh-keygen(1): write OpenSSH format private keys by default
    instead of using OpenSSL's PEM format
- Rebase patches to apply on 7.8p1 release:
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-cavstest-kdf.patch
  * openssh-7.7p1-fips_checks.patch
  * openssh-7.7p1-gssapi_key_exchange.patch
  * openssh-7.7p1-audit.patch
  * openssh-7.7p1-openssl_1.1.0.patch
  * openssh-7.7p1-ldap.patch
  * openssh-7.7p1-IPv6_X_forwarding.patch
  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
  * openssh-7.7p1-disable_short_DH_parameters.patch
  * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
  * openssh-7.7p1-pam_check_locks.patch
  * openssh-7.7p1-seed-prng.patch
  * openssh-7.7p1-systemd-notify.patch
  * openssh-7.7p1-X11_trusted_forwarding.patch
- Dropped patches:

OBS-URL: https://build.opensuse.org/request/show/642573
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
2018-10-17 08:57:56 +00:00
Petr Cerny
e8b9919265 Accepting request 500279 from home:pcerny:factory
- Fix preauth seccomp separation on mainframes (bsc#1016709)
  [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
  [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- enable case-insensitive hostname matching (bsc#1017099)
  [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
- add CAVS tests 
  [openssh-7.2p2-cavstest-ctr.patch]
  [openssh-7.2p2-cavstest-kdf.patch]
- Adding missing pieces for user matching (bsc#1021626)
- Properly verify CIDR masks in configuration
  (bsc#1005893)
  [openssh-7.2p2-verify_CIDR_address_ranges.patch]
- Remove pre-auth compression support from the server to prevent
  possible cryptographic attacks.
  (CVE-2016-10012, bsc#1016370)
  [openssh-7.2p2-disable_preauth_compression.patch]
- limit directories for loading PKCS11 modules
  (CVE-2016-10009, bsc#1016366)
  [openssh-7.2p2-restrict_pkcs11-modules.patch]
- Prevent possible leaks of host private keys to low-privilege
  process handling authentication
  (CVE-2016-10011, bsc#1016369)
  [openssh-7.2p2-prevent_private_key_leakage.patch]
- Do not allow unix socket forwarding when running without
  privilege separation
  (CVE-2016-10010, bsc#1016368)
  [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
- prevent resource depletion during key exchange
  (bsc#1005480, CVE-2016-8858)
  [openssh-7.2p2-kex_resource_depletion.patch]

OBS-URL: https://build.opensuse.org/request/show/500279
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
2017-05-31 23:09:14 +00:00
Petr Cerny
6dac324cb7 Accepting request 407066 from home:pcerny:factory
- enable support for SSHv1 protocol and discourage its usage
  (bsc#983307)
- enable DSA by default for backward compatibility and discourage
  its usage (bsc#983784)
  [openssh-7.2p2-allow_DSS_by_default.patch]

- upgrade to 7.2p2
  upstream package without any SUSE patches
  Distilled upstream log:
- OpenSSH 6.7
  Potentially-incompatible changes:
  * sshd(8): The default set of ciphers and MACs has been
    altered to remove unsafe algorithms. In particular, CBC
    ciphers and arcfour* are disabled by default.
    The full set of algorithms remains available if configured
    explicitly via the Ciphers and MACs sshd_config options.
  * sshd(8): Support for tcpwrappers/libwrap has been removed.
  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
    connections using the curve25519-sha256@libssh.org KEX
    exchange method to fail when connecting with something that
    implements the specification correctly. OpenSSH 6.7 disables
    this KEX method when speaking to one of the affected
    versions.
  New Features:
  * ssh(1), sshd(8): Add support for Unix domain socket
    forwarding. A remote TCP port may be forwarded to a local
    Unix domain socket and vice versa or both ends may be a Unix
    domain socket.
  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
    ED25519 key types.

OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
2016-07-07 07:07:23 +00:00
Petr Cerny
5093e42eaa Accepting request 398802 from home:pcerny:factory
- upgrade to 7.2p2

- changing license to 2-clause BSD to match source

- enable trusted X11 forwarding by default
  [-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
  [-send_locale]
- handle hostnames changes during X forwarding
  [-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
  [-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
  [-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
  surprises on updates from older versions.
  See README.SUSE for details
  [-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
  lowering the limit back to the RFC 4419 specified minimum
  through an option (bsc#932483, bsc#948902)
  [-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter

OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103
2016-05-30 01:36:18 +00:00
13651d3d21 restore factory state, so we can fix bugs.
old stuff is still in the old revisions

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=98
2016-04-06 11:34:51 +00:00
Ismail Dönmez
642f5e8889 Accepting request 354941 from home:scarabeus_iv:branches:network
- Cleanup with spec-cleaner
- Update of the master OpenSSH to 7.1p2

- Take refreshed and updated audit patch from redhat
  * Remove our old patches:
    + openssh-6.6p1-audit1-remove_duplicit_audit.patch
    + openssh-6.6p1-audit2-better_audit_of_user_actions.patch
    + openssh-6.6p1-audit3-key_auth_usage-fips.patch
    + openssh-6.6p1-audit3-key_auth_usage.patch
    + openssh-6.6p1-audit4-kex_results-fips.patch
    + openssh-6.6p1-audit4-kex_results.patch
    + openssh-6.6p1-audit5-session_key_destruction.patch
    + openssh-6.6p1-audit6-server_key_destruction.patch
    + openssh-6.6p1-audit7-libaudit_compat.patch
    + openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
  * add openssh-6.7p1-audit.patch
- Reenable the openssh-6.6p1-ldap.patch
- Update the fips patch from RH build openssh-6.6p1-fips.patch
- Update and refresh openssh-6.6p1-gssapi_key_exchange.patch
- Remove fips-check patch as it is merged to fips patch
  * openssh-6.6p1-fips-checks.patch
- Rebase and enable chroot patch:
  * openssh-6.6p1-sftp_homechroot.patch
- Reenable rebased patch for linux seed:
  * openssh-6.6p1-seed-prng.patch
- Reenable key converting patch:
  * openssh-6.6p1-key-converter.patch

- Version update to 7.1p2:
  * various upstream bugfixes and cleanups

OBS-URL: https://build.opensuse.org/request/show/354941
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95
2016-01-21 07:28:30 +00:00