6c861e0b33
- remaining patches that were still missing since the update to 7.2p2 (FATE#319675): [openssh-7.2p2-disable_openssl_abi_check.patch] - fix forwarding with IPv6 addresses in DISPLAY (bnc#847710) [openssh-7.2p2-IPv6_X_forwarding.patch] - ignore PAM environment when using login (bsc#975865, CVE-2015-8325) [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) [openssh-7.2p2-limit_password_length.patch] - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [openssh-7.2p2-prevent_timing_user_enumeration.patch] - Add auditing for PRNG re-seeding [openssh-7.2p2-audit_seed_prng.patch] OBS-URL: https://build.opensuse.org/request/show/433779 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
# HG changeset patch
|
|
# Parent 980f301b2920c09b30577dd722546bca85d25fc1
|
|
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
|
# bnc#46749
|
|
# --used to be called '-pam-fix2'
|
|
|
|
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
--- a/openssh-7.2p2/sshd_config
|
|
+++ b/openssh-7.2p2/sshd_config
|
|
@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
#HostbasedAuthentication no
|
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
|
#IgnoreUserKnownHosts no
|
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
#IgnoreRhosts yes
|
|
|
|
# To disable tunneled clear text passwords, change to no here!
|
|
-#PasswordAuthentication yes
|
|
+PasswordAuthentication no
|
|
#PermitEmptyPasswords no
|
|
|
|
# Change to no to disable s/key passwords
|
|
#ChallengeResponseAuthentication yes
|
|
|
|
# Kerberos options
|
|
#KerberosAuthentication no
|
|
#KerberosOrLocalPasswd yes
|
|
@@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
# and session processing. If this is enabled, PAM authentication will
|
|
# be allowed through the ChallengeResponseAuthentication and
|
|
# PasswordAuthentication. Depending on your PAM configuration,
|
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
# the setting of "PermitRootLogin without-password".
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
-#UsePAM no
|
|
+UsePAM yes
|
|
|
|
#AllowAgentForwarding yes
|
|
#AllowTcpForwarding yes
|
|
#GatewayPorts no
|
|
X11Forwarding yes
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|