# HG changeset patch # Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50 Allow root login with password by default. While less secure than upstream default of forbidding access to the root account with a password, we are temporarily introducing this change to keep the default used in older OpenSSH versions shipped with SLE. diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c --- openssh-7.7p1/servconf.c +++ openssh-7.7p1/servconf.c @@ -265,17 +265,17 @@ fill_default_server_options(ServerOption options->address_family = AF_UNSPEC; if (options->listen_addrs == NULL) add_listen_addr(options, NULL, NULL, 0); if (options->pid_file == NULL) options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->permit_root_login == PERMIT_NOT_SET) - options->permit_root_login = PERMIT_NO_PASSWD; + options->permit_root_login = PERMIT_YES; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) options->ignore_user_known_hosts = 0; if (options->print_motd == -1) options->print_motd = 1; if (options->print_lastlog == -1) options->print_lastlog = 1; diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config --- openssh-7.7p1/sshd_config +++ openssh-7.7p1/sshd_config @@ -24,17 +24,17 @@ # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +#PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0 --- openssh-7.7p1/sshd_config.0 +++ openssh-7.7p1/sshd_config.0 @@ -709,17 +709,17 @@ DESCRIPTION none can be used to prohibit all forwarding requests. The wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or ports, respectively. By default all port forwarding requests are permitted. PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The - default is prohibit-password. + default is yes. If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root. If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5 --- openssh-7.7p1/sshd_config.5 +++ openssh-7.7p1/sshd_config.5 @@ -1220,17 +1220,17 @@ Specifies whether root can log in using .Xr ssh 1 . The argument must be .Cm yes , .Cm prohibit-password , .Cm forced-commands-only , or .Cm no . The default is -.Cm prohibit-password . +.Cm yes . .Pp If this option is set to .Cm prohibit-password (or its deprecated alias, .Cm without-password ) , password and keyboard-interactive authentication are disabled for root. .Pp If this option is set to