Clarification wrt openSSH packages wrt snapshot 20240515 and "Review of the weeks 2024/19 & 20"

Dear @dimstar , I would like to ask for clarification wrt certain openSSH package(s) on Tumbleweed which were introduced mistakenly in snapshot 20240515. Sorry if it is only me who doesn‘t get it 100% clear.

From the factory mailing list announcing snapshot 20240515:

==== openssh ====
Subpackages: openssh-clients openssh-common openssh-server

  • Only for SLE15, restore the patch file removed in
    Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
    from SP5 of having root password login allowed by default
    (fixes bsc#1223486, related to bsc#1173067):
  • openssh-7.7p1-allow_root_password_login.patch
  • Since the default value for this config option is now set to
    permit root to use password logins in SLE15, the
    openssh-server-config-rootlogin subpackage isn’t useful there so
    we now create an openssh-server-config-disallow-rootlogin
    subpackage that sets the configuration the other way around
    than openssh-server-config-rootlogin.

And from the factory mailing list “Review of the weeks 2024/19 & 20”:

Snapshot 0515 containedt an openssh update, that mistakenly recommended
installation of the subpackage openssh-server-config-rootlogin; this
package has existed since the default configuration of openSSH was
changed to not permit root login anymore, so admins could easily switch
it back on. Due to an error, this had been triggered for automatic
installation. This has since been corrected and a version of openssh-
server was published to the update channel, which is NOT recommended.
Please check your installation and remove the package again, should it
be installed and you don’t need it (we can’t auto-remove it without
breaking users that explicitly wanted it)

Could you please state again 100% clear which package should be present and which one should be deleted?

Sorry for asking, and a big thank you in advance. I feel SSH is really sensitive nowadays to warrant such a clarification …

I’m using Leap 15.6 (I also have a Tumbleweed install).

Here’s what I did:

I removed package “openssh-server-config-rootlogin
I then locked that package so that it won’t be installed again.

I did this with Yast (I told Yast to “taboo” the package).

I did the same on one Tumbleweed system. I’ll eventually do it on others.

However, before doing this, I also tested. According to my tests, I could not login with password anyway. That’s probably because of other restrictions that I have been using in a small “.conf” file in “/etc/ssh/sshd_config.d”.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.