Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked in at 2019-02-04 21:10:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Mon Feb 4 21:10:21 2019 rev:127 rq:669023 version:7.9p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2019-01-21 10:08:49.666771724 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28833/openssh.changes 2019-02-04 21:10:26.255890031 +0100
@@ -1,0 +2,28 @@
+Mon Jan 28 10:34:53 UTC 2019 - Pedro Monreal Gonzalez
+
+- Remove old conditionals
+
+-------------------------------------------------------------------
+Fri Jan 25 12:42:54 UTC 2019 - Pedro Monreal Gonzalez
+
+- Move ssh-ldap* man pages into openssh-helpers [bsc#1051531]
+
+-------------------------------------------------------------------
+Thu Jan 24 15:51:19 UTC 2019 - Pedro Monreal Gonzalez
+
+- Allow root login by default [bsc#1118114, bsc#1121196]
+ * Added/updated previous patch openssh-7.7p1-allow_root_password_login.patch
+ * Mention the change in README.SUSE
+
+-------------------------------------------------------------------
+Thu Jan 24 12:21:40 UTC 2019 - Pedro Monreal Gonzalez
+
+- Added SLE conditionals in the spec files:
+ * Keep gtk2-devel in openssh-askpass-gnome in SLE
+ * Keep krb5-mini-devel in SLE
+- Removed obsolete configure options:
+ * SSH protocol 1 --with-ssh1
+ * Smart card --with-opensc
+- Cleaned spec file with spec-cleaner
+
+-------------------------------------------------------------------
New:
----
openssh-7.7p1-allow_root_password_login.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.YamhBP/_old 2019-02-04 21:10:27.183889699 +0100
+++ /var/tmp/diff_new_pack.YamhBP/_new 2019-02-04 21:10:27.187889697 +0100
@@ -26,7 +26,11 @@
URL: http://www.openssh.com/
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
+%if 0%{?suse_version} >= 1550
BuildRequires: gtk3-devel
+%else
+BuildRequires: gtk2-devel
+%endif
Requires: %{_name} = %{version}
%description
@@ -40,11 +44,19 @@
%build
cd contrib
export CFLAGS="%{optflags}"
+%if 0%{?suse_version} >= 1550
make %{?_smp_mflags} gnome-ssh-askpass3
+%else
+make %{?_smp_mflags} gnome-ssh-askpass2
+%endif
%install
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
+%if 0%{?suse_version} >= 1550
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
+%else
+install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
+%endif
%files
%dir %{_libexecdir}/ssh
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.YamhBP/_old 2019-02-04 21:10:27.243889677 +0100
+++ /var/tmp/diff_new_pack.YamhBP/_new 2019-02-04 21:10:27.247889676 +0100
@@ -56,6 +56,7 @@
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
+Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
@@ -111,9 +112,8 @@
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
-BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libsystemd)
-Requires(post): %{fillup_prereq}
+Requires(post): %fillup_prereq
Requires(pre): pwdutils
Recommends: %{name}-helpers = %{version}-%{release}
Recommends: audit
@@ -125,6 +125,11 @@
%if %{with tirpc}
BuildRequires: libtirpc-devel
%endif
+%if 0%{?suse_version} >= 1550
+BuildRequires: pkgconfig(krb5)
+%else
+BuildRequires: krb5-mini-devel
+%endif
%description
SSH (Secure Shell) is a program for logging into and executing commands
@@ -305,6 +310,8 @@
%attr(0444,root,root) %{_mandir}/man1/*
%attr(0444,root,root) %{_mandir}/man5/*
%attr(0444,root,root) %{_mandir}/man8/*
+%exclude %{_mandir}/man5/ssh-ldap*
+%exclude %{_mandir}/man8/ssh-ldap*
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%{_fillupdir}/sysconfig.ssh
@@ -317,6 +324,8 @@
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
+%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
+%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%files fips
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.YamhBP/_old 2019-02-04 21:10:27.323889649 +0100
+++ /var/tmp/diff_new_pack.YamhBP/_new 2019-02-04 21:10:27.323889649 +0100
@@ -5,6 +5,12 @@
* PAM authentication is enabled and mostly even required, do not turn it off.
+* root authentiation with password is enabled by default (PermitRootLogin yes).
+ NOTE: this has security implications and is only done in order to not change
+ behaviour of the server in an update. We strongly suggest setting this option
+ either "prohibit-password" or even better to "no" (which disables direct
+ remote root login entirely).
+
* DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot
++++++ openssh-7.7p1-allow_root_password_login.patch ++++++
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-7.9p1/sshd_config
===================================================================
--- openssh-7.9p1.orig/sshd_config
+++ openssh-7.9p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -749,7 +749,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -1285,7 +1285,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password