From f2379e82ce89e0009d3dc443ce6b50be93d07361a7c7fff62f02e414189a8445 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 14 May 2024 06:52:13 +0000 Subject: [PATCH] Accepting request 1173783 from home:alarrosa:branches:network:openssh-permit-root-login - Only for SLE15, restore the patch file removed in Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour from SP5 of having root password login allowed by default (fixes bsc#1223486, related to bsc#1173067): * openssh-7.7p1-allow_root_password_login.patch - Since the default value for this config option is now set to permit root to use password logins in SLE15, the openssh-server-config-rootlogin subpackage isn't useful there so we now create an openssh-server-config-disallow-rootlogin subpackage that sets the configuration the other way around than openssh-server-config-rootlogin. OBS-URL: https://build.opensuse.org/request/show/1173783 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=266 --- README.SUSE | 7 +++ openssh-7.7p1-allow_root_password_login.patch | 59 +++++++++++++++++++ openssh.changes | 15 +++++ openssh.spec | 39 +++++++++++- 4 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 openssh-7.7p1-allow_root_password_login.patch diff --git a/README.SUSE b/README.SUSE index cb1f82b..1350a12 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,6 +5,13 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. +* In SLE15, root authentiation with password is enabled by default + (PermitRootLogin yes). + NOTE: this has security implications and is only done in order to not change + behaviour of the server in an update. We strongly suggest setting this option + either "prohibit-password" or even better to "no" (which disables direct + remote root login entirely). + * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch new file mode 100644 index 0000000..815b8a5 --- /dev/null +++ b/openssh-7.7p1-allow_root_password_login.patch @@ -0,0 +1,59 @@ +# HG changeset patch +# Parent af43d436bc7fe818dd976c923ad99b89051eb299 +Allow root login with password by default. While less secure than upstream +default of forbidding access to the root account with a password, we are +temporarily introducing this change to keep the default used in older OpenSSH +versions shipped with SLE. + +Index: openssh-8.4p1/servconf.c +=================================================================== +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption + if (options->login_grace_time == -1) + options->login_grace_time = 120; + if (options->permit_root_login == PERMIT_NOT_SET) +- options->permit_root_login = PERMIT_NO_PASSWD; ++ options->permit_root_login = PERMIT_YES; + if (options->ignore_rhosts == -1) + options->ignore_rhosts = 1; + if (options->ignore_user_known_hosts == -1) +Index: openssh-8.4p1/sshd_config +=================================================================== +--- openssh-8.4p1.orig/sshd_config ++++ openssh-8.4p1/sshd_config +@@ -29,7 +29,7 @@ + # Authentication: + + #LoginGraceTime 2m +-#PermitRootLogin prohibit-password ++PermitRootLogin yes + #StrictModes yes + #MaxAuthTries 6 + #MaxSessions 10 +Index: openssh-8.4p1/sshd_config.0 +=================================================================== +--- openssh-8.4p1.orig/sshd_config.0 ++++ openssh-8.4p1/sshd_config.0 +@@ -778,7 +778,7 @@ DESCRIPTION + PermitRootLogin + Specifies whether root can log in using ssh(1). The argument + must be yes, prohibit-password, forced-commands-only, or no. The +- default is prohibit-password. ++ default is yes. + + If this option is set to prohibit-password (or its deprecated + alias, without-password), password and keyboard-interactive +Index: openssh-8.4p1/sshd_config.5 +=================================================================== +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 +@@ -1331,7 +1331,7 @@ The argument must be + or + .Cm no . + The default is +-.Cm prohibit-password . ++.Cm yes . + .Pp + If this option is set to + .Cm prohibit-password diff --git a/openssh.changes b/openssh.changes index 1331030..437daaf 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa + +- Only for SLE15, restore the patch file removed in + Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour + from SP5 of having root password login allowed by default + (fixes bsc#1223486, related to bsc#1173067): + * openssh-7.7p1-allow_root_password_login.patch +- Since the default value for this config option is now set to + permit root to use password logins in SLE15, the + openssh-server-config-rootlogin subpackage isn't useful there so + we now create an openssh-server-config-disallow-rootlogin + subpackage that sets the configuration the other way around + than openssh-server-config-rootlogin. + ------------------------------------------------------------------- Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner diff --git a/openssh.spec b/openssh.spec index 99c96b5..8b744cc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -28,8 +28,10 @@ %if 0%{?suse_version} >= 1550 %bcond_without wtmpdb +%bcond_with allow_root_password_login_by_default %else %bcond_with wtmpdb +%bcond_without allow_root_password_login_by_default %endif #Compat macro for new _fillupdir macro introduced in Nov 2017 @@ -126,6 +128,9 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch +%if 0%{with allow_root_password_login_by_default} +Patch1000: openssh-7.7p1-allow_root_password_login.patch +%endif BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -192,7 +197,7 @@ Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Requires: crypto-policies >= 20220824 Recommends: audit -%if 0%{?suse_version} == 1500 +%if 0%{without allow_root_password_login_by_default} Recommends: openssh-server-config-rootlogin %endif Requires(pre): findutils @@ -214,16 +219,31 @@ also be forwarded over the secure channel. This package contains the Secure Shell daemon, which allows clients to securely connect to your server. +%if 0%{with allow_root_password_login_by_default} +%package server-config-disallow-rootlogin +Summary: Config to disallow password root logins to sshd +Group: Productivity/Networking/SSH +Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-rootlogin + +%description server-config-disallow-rootlogin +The openssh-server package by default allows password based +root logins. This package provides a config that disallows root +to log in using the passwor. It's useful to secure your system +preventing password attacks on the root account over ssh. +%else %package server-config-rootlogin Summary: Config to permit root logins to sshd Group: Productivity/Networking/SSH Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-disallow-rootlogin %description server-config-rootlogin The openssh-server package by default disallows password based root logins. This package provides a config that does. It's useful to temporarily have a password based login to be able to use ssh-copy-id(1). +%endif %package clients Summary: SSH (Secure Shell) client applications @@ -369,7 +389,11 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config +%if 0%{with allow_root_password_login_by_default} +echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +%endif # Move /etc to /usr/etc/ssh %if %{defined _distconfdir} @@ -377,8 +401,12 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ +%if 0%{with allow_root_password_login_by_default} +mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif +%endif install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf %if %{defined _distconfdir} @@ -532,12 +560,21 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss %config %{_fwdefdir}/sshd %endif +%if 0%{with allow_root_password_login_by_default} +%files server-config-disallow-rootlogin +%if %{defined _distconfdir} +%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else +%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%endif +%else %files server-config-rootlogin %if %{defined _distconfdir} %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %else %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif +%endif %files clients %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d