6543c1a02b
- update to 8.4p1:
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
New Features
------------
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
OBS-URL: https://build.opensuse.org/request/show/863944
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
60 lines
2.1 KiB
Diff
60 lines
2.1 KiB
Diff
# HG changeset patch
|
|
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
|
Allow root login with password by default. While less secure than upstream
|
|
default of forbidding access to the root account with a password, we are
|
|
temporarily introducing this change to keep the default used in older OpenSSH
|
|
versions shipped with SLE.
|
|
|
|
Index: openssh-8.4p1/servconf.c
|
|
===================================================================
|
|
--- openssh-8.4p1.orig/servconf.c
|
|
+++ openssh-8.4p1/servconf.c
|
|
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
|
if (options->login_grace_time == -1)
|
|
options->login_grace_time = 120;
|
|
if (options->permit_root_login == PERMIT_NOT_SET)
|
|
- options->permit_root_login = PERMIT_NO_PASSWD;
|
|
+ options->permit_root_login = PERMIT_YES;
|
|
if (options->ignore_rhosts == -1)
|
|
options->ignore_rhosts = 1;
|
|
if (options->ignore_user_known_hosts == -1)
|
|
Index: openssh-8.4p1/sshd_config
|
|
===================================================================
|
|
--- openssh-8.4p1.orig/sshd_config
|
|
+++ openssh-8.4p1/sshd_config
|
|
@@ -29,7 +29,7 @@
|
|
# Authentication:
|
|
|
|
#LoginGraceTime 2m
|
|
-#PermitRootLogin prohibit-password
|
|
+PermitRootLogin yes
|
|
#StrictModes yes
|
|
#MaxAuthTries 6
|
|
#MaxSessions 10
|
|
Index: openssh-8.4p1/sshd_config.0
|
|
===================================================================
|
|
--- openssh-8.4p1.orig/sshd_config.0
|
|
+++ openssh-8.4p1/sshd_config.0
|
|
@@ -778,7 +778,7 @@ DESCRIPTION
|
|
PermitRootLogin
|
|
Specifies whether root can log in using ssh(1). The argument
|
|
must be yes, prohibit-password, forced-commands-only, or no. The
|
|
- default is prohibit-password.
|
|
+ default is yes.
|
|
|
|
If this option is set to prohibit-password (or its deprecated
|
|
alias, without-password), password and keyboard-interactive
|
|
Index: openssh-8.4p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.4p1.orig/sshd_config.5
|
|
+++ openssh-8.4p1/sshd_config.5
|
|
@@ -1331,7 +1331,7 @@ The argument must be
|
|
or
|
|
.Cm no .
|
|
The default is
|
|
-.Cm prohibit-password .
|
|
+.Cm yes .
|
|
.Pp
|
|
If this option is set to
|
|
.Cm prohibit-password
|