- Only for SLE15, restore the patch file removed in
Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
from SP5 of having root password login allowed by default
(fixes bsc#1223486, related to bsc#1173067):
* openssh-7.7p1-allow_root_password_login.patch
- Since the default value for this config option is now set to
permit root to use password logins in SLE15, the
openssh-server-config-rootlogin subpackage isn't useful there so
we now create an openssh-server-config-disallow-rootlogin
subpackage that sets the configuration the other way around
than openssh-server-config-rootlogin.
OBS-URL: https://build.opensuse.org/request/show/1173783
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=266
- update to 8.4p1:
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
New Features
------------
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
OBS-URL: https://build.opensuse.org/request/show/863944
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
* There is no reason to set less secure default value, if
users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
* We had a bug way in past about this but it was never reproduced
or even confirmed in the ticket, thus rather drop the patch
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155
- Update to 7.8p1:
* no actual changes for the askpass
- Format with spec-cleaner
- Respect cflags
- Use gtk3 rather than gtk2 which is being phased out
- Remove the mention of the SLE12 in the README.SUSE
- Install firewall rules only when really needed (<SLE15)
- Version update to 7.8p1:
* For most details see release notes file
* ssh-keygen(1): write OpenSSH format private keys by default
instead of using OpenSSL's PEM format
- Rebase patches to apply on 7.8p1 release:
* openssh-7.7p1-fips.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-audit.patch
* openssh-7.7p1-openssl_1.1.0.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-IPv6_X_forwarding.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-7.7p1-disable_short_DH_parameters.patch
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
* openssh-7.7p1-pam_check_locks.patch
* openssh-7.7p1-seed-prng.patch
* openssh-7.7p1-systemd-notify.patch
* openssh-7.7p1-X11_trusted_forwarding.patch
- Dropped patches:
OBS-URL: https://build.opensuse.org/request/show/642573
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
