Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2019-02-04 21:10:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Mon Feb 4 21:10:21 2019 rev:127 rq:669023 version:7.9p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2019-01-21 10:08:49.666771724 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28833/openssh.changes 2019-02-04 21:10:26.255890031 +0100 @@ -1,0 +2,28 @@ +Mon Jan 28 10:34:53 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Remove old conditionals + +------------------------------------------------------------------- +Fri Jan 25 12:42:54 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Move ssh-ldap* man pages into openssh-helpers [bsc#1051531] + +------------------------------------------------------------------- +Thu Jan 24 15:51:19 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Allow root login by default [bsc#1118114, bsc#1121196] + * Added/updated previous patch openssh-7.7p1-allow_root_password_login.patch + * Mention the change in README.SUSE + +------------------------------------------------------------------- +Thu Jan 24 12:21:40 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Added SLE conditionals in the spec files: + * Keep gtk2-devel in openssh-askpass-gnome in SLE + * Keep krb5-mini-devel in SLE +- Removed obsolete configure options: + * SSH protocol 1 --with-ssh1 + * Smart card --with-opensc +- Cleaned spec file with spec-cleaner + +------------------------------------------------------------------- New: ---- openssh-7.7p1-allow_root_password_login.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.YamhBP/_old 2019-02-04 21:10:27.183889699 +0100 +++ /var/tmp/diff_new_pack.YamhBP/_new 2019-02-04 21:10:27.187889697 +0100 @@ -26,7 +26,11 @@ URL: http://www.openssh.com/ Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc +%if 0%{?suse_version} >= 1550 BuildRequires: gtk3-devel +%else +BuildRequires: gtk2-devel +%endif Requires: %{_name} = %{version} %description @@ -40,11 +44,19 @@ %build cd contrib export CFLAGS="%{optflags}" +%if 0%{?suse_version} >= 1550 make %{?_smp_mflags} gnome-ssh-askpass3 +%else +make %{?_smp_mflags} gnome-ssh-askpass2 +%endif %install install -d -m 755 %{buildroot}%{_libexecdir}/ssh/ +%if 0%{?suse_version} >= 1550 install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass +%else +install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass +%endif %files %dir %{_libexecdir}/ssh ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.YamhBP/_old 2019-02-04 21:10:27.243889677 +0100 +++ /var/tmp/diff_new_pack.YamhBP/_new 2019-02-04 21:10:27.247889676 +0100 @@ -56,6 +56,7 @@ Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl +Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch @@ -111,9 +112,8 @@ BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel -BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libsystemd) -Requires(post): %{fillup_prereq} +Requires(post): %fillup_prereq Requires(pre): pwdutils Recommends: %{name}-helpers = %{version}-%{release} Recommends: audit @@ -125,6 +125,11 @@ %if %{with tirpc} BuildRequires: libtirpc-devel %endif +%if 0%{?suse_version} >= 1550 +BuildRequires: pkgconfig(krb5) +%else +BuildRequires: krb5-mini-devel +%endif %description SSH (Secure Shell) is a program for logging into and executing commands @@ -305,6 +310,8 @@ %attr(0444,root,root) %{_mandir}/man1/* %attr(0444,root,root) %{_mandir}/man5/* %attr(0444,root,root) %{_mandir}/man8/* +%exclude %{_mandir}/man5/ssh-ldap* +%exclude %{_mandir}/man8/ssh-ldap* %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg %{_fillupdir}/sysconfig.ssh @@ -317,6 +324,8 @@ %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %attr(0755,root,root) %dir %{_libexecdir}/ssh %attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* +%attr(0444,root,root) %{_mandir}/man5/ssh-ldap* +%attr(0444,root,root) %{_mandir}/man8/ssh-ldap* %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %files fips ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.YamhBP/_old 2019-02-04 21:10:27.323889649 +0100 +++ /var/tmp/diff_new_pack.YamhBP/_new 2019-02-04 21:10:27.323889649 +0100 @@ -5,6 +5,12 @@ * PAM authentication is enabled and mostly even required, do not turn it off. +* root authentiation with password is enabled by default (PermitRootLogin yes). + NOTE: this has security implications and is only done in order to not change + behaviour of the server in an update. We strongly suggest setting this option + either "prohibit-password" or even better to "no" (which disables direct + remote root login entirely). + * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot ++++++ openssh-7.7p1-allow_root_password_login.patch ++++++ # HG changeset patch # Parent af43d436bc7fe818dd976c923ad99b89051eb299 Allow root login with password by default. While less secure than upstream default of forbidding access to the root account with a password, we are temporarily introducing this change to keep the default used in older OpenSSH versions shipped with SLE. Index: openssh-7.9p1/servconf.c =================================================================== --- openssh-7.9p1.orig/servconf.c +++ openssh-7.9p1/servconf.c @@ -292,7 +292,7 @@ fill_default_server_options(ServerOption if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->permit_root_login == PERMIT_NOT_SET) - options->permit_root_login = PERMIT_NO_PASSWD; + options->permit_root_login = PERMIT_YES; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) Index: openssh-7.9p1/sshd_config =================================================================== --- openssh-7.9p1.orig/sshd_config +++ openssh-7.9p1/sshd_config @@ -29,7 +29,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 Index: openssh-7.9p1/sshd_config.0 =================================================================== --- openssh-7.9p1.orig/sshd_config.0 +++ openssh-7.9p1/sshd_config.0 @@ -749,7 +749,7 @@ DESCRIPTION PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The - default is prohibit-password. + default is yes. If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive Index: openssh-7.9p1/sshd_config.5 =================================================================== --- openssh-7.9p1.orig/sshd_config.5 +++ openssh-7.9p1/sshd_config.5 @@ -1285,7 +1285,7 @@ The argument must be or .Cm no . The default is -.Cm prohibit-password . +.Cm yes . .Pp If this option is set to .Cm prohibit-password
