forked from pool/openssh
Accepting request 873406 from home:jsegitz:branches:network
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login as root via password by default (is also upstream default). Comment indicates that this was a temporary meassure that we now had for five years, time to get rid of it (bsc#1173067) OBS-URL: https://build.opensuse.org/request/show/873406 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=229
This commit is contained in:
Git OBS Bridge
parent
4b2c4475a9
commit
d13558019e
@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
|
||||
|
||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||
|
||||
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
||||
NOTE: this has security implications and is only done in order to not change
|
||||
behaviour of the server in an update. We strongly suggest setting this option
|
||||
either "prohibit-password" or even better to "no" (which disables direct
|
||||
remote root login entirely).
|
||||
|
||||
* DSA authentication is enabled by default for maximum compatibility.
|
||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||
|
||||
@ -1,59 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
Index: openssh-8.4p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/servconf.c
|
||||
+++ openssh-8.4p1/servconf.c
|
||||
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
Index: openssh-8.4p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config
|
||||
+++ openssh-8.4p1/sshd_config
|
||||
@@ -29,7 +29,7 @@
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
Index: openssh-8.4p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.0
|
||||
+++ openssh-8.4p1/sshd_config.0
|
||||
@@ -778,7 +778,7 @@ DESCRIPTION
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||
- default is prohibit-password.
|
||||
+ default is yes.
|
||||
|
||||
If this option is set to prohibit-password (or its deprecated
|
||||
alias, without-password), password and keyboard-interactive
|
||||
Index: openssh-8.4p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.5
|
||||
+++ openssh-8.4p1/sshd_config.5
|
||||
@@ -1331,7 +1331,7 @@ The argument must be
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
@ -5,6 +5,14 @@ Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
||||
/usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
|
||||
- Move configuration files from /etc/ssh/ to /usr/share/ssh/
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
|
||||
as root via password by default (is also upstream default). Comment
|
||||
indicates that this was a temporary meassure that we now had for
|
||||
five years, time to get rid of it (bsc#1173067)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
|
||||
@ -58,7 +58,6 @@ Source11: README.FIPS
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||
Source14: sysusers-sshd.conf
|
||||
Patch0: openssh-7.7p1-allow_root_password_login.patch
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
|
||||
Loading…
Reference in New Issue
Block a user