diff --git a/README.SUSE b/README.SUSE index cd33733..cb1f82b 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. -* root authentiation with password is enabled by default (PermitRootLogin yes). - NOTE: this has security implications and is only done in order to not change - behaviour of the server in an update. We strongly suggest setting this option - either "prohibit-password" or even better to "no" (which disables direct - remote root login entirely). - * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch deleted file mode 100644 index 815b8a5..0000000 --- a/openssh-7.7p1-allow_root_password_login.patch +++ /dev/null @@ -1,59 +0,0 @@ -# HG changeset patch -# Parent af43d436bc7fe818dd976c923ad99b89051eb299 -Allow root login with password by default. While less secure than upstream -default of forbidding access to the root account with a password, we are -temporarily introducing this change to keep the default used in older OpenSSH -versions shipped with SLE. - -Index: openssh-8.4p1/servconf.c -=================================================================== ---- openssh-8.4p1.orig/servconf.c -+++ openssh-8.4p1/servconf.c -@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption - if (options->login_grace_time == -1) - options->login_grace_time = 120; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_NO_PASSWD; -+ options->permit_root_login = PERMIT_YES; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) -Index: openssh-8.4p1/sshd_config -=================================================================== ---- openssh-8.4p1.orig/sshd_config -+++ openssh-8.4p1/sshd_config -@@ -29,7 +29,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin prohibit-password -+PermitRootLogin yes - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 -Index: openssh-8.4p1/sshd_config.0 -=================================================================== ---- openssh-8.4p1.orig/sshd_config.0 -+++ openssh-8.4p1/sshd_config.0 -@@ -778,7 +778,7 @@ DESCRIPTION - PermitRootLogin - Specifies whether root can log in using ssh(1). The argument - must be yes, prohibit-password, forced-commands-only, or no. The -- default is prohibit-password. -+ default is yes. - - If this option is set to prohibit-password (or its deprecated - alias, without-password), password and keyboard-interactive -Index: openssh-8.4p1/sshd_config.5 -=================================================================== ---- openssh-8.4p1.orig/sshd_config.5 -+++ openssh-8.4p1/sshd_config.5 -@@ -1331,7 +1331,7 @@ The argument must be - or - .Cm no . - The default is --.Cm prohibit-password . -+.Cm yes . - .Pp - If this option is set to - .Cm prohibit-password diff --git a/openssh.changes b/openssh.changes index 945ac83..1a38a66 100644 --- a/openssh.changes +++ b/openssh.changes @@ -5,6 +5,14 @@ Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk /usr/share/ssh/ (openssh-8.4p1-vendordir.patch) - Move configuration files from /etc/ssh/ to /usr/share/ssh/ +------------------------------------------------------------------- +Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz + +- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login + as root via password by default (is also upstream default). Comment + indicates that this was a temporary meassure that we now had for + five years, time to get rid of it (bsc#1173067) + ------------------------------------------------------------------- Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 306e5bf..0846fd6 100644 --- a/openssh.spec +++ b/openssh.spec @@ -58,7 +58,6 @@ Source11: README.FIPS Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source14: sysusers-sshd.conf -Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch